a95f03a792aff5a2b5f9e5a5537300955b8a5c678c502b749fb192e1323482aa

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.exe
Size

4.6MB
MD5

b0c10c0f93e18f7d58fd45aea765938a
SHA1

08be5fdf55f03f8d7cb96846dbc6bd9c446c107c
SHA256

a95f03a792aff5a2b5f9e5a5537300955b8a5c678c502b749fb192e1323482aa
SHA512

3a99c202dbf402d7740171d4fca6ee5eba3cabe74ab8c0633776a02b2a65ef216879b9fa2ca64be4e4662242597aa07dcc346bd6f2941ffb7afedc28a9d58165
SSDEEP

98304:pghmLDE5JNQ6KLIJFHPLragZGr4RAUDAQh9/SVEBkob:KhccyxETvPaSGF6xSAN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1440	b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 1440	5112	b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.exe	84
PID 5112 wrote to memory of 1440	5112	b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.exe	84
PID 5112 wrote to memory of 1440	5112	b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\is-P5N90.tmp\b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-P5N90.tmp\b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.tmp" /SL5="$50118,4578614,67072,C:\Users\Admin\AppData\Local\Temp\b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-P5N90.tmp\b0c10c0f93e18f7d58fd45aea765938a_JaffaCakes118.tmp

Filesize
696KB

MD5
bd13390a9d8fb684122b55edf6c0e66d

SHA1
d1e774ad8409d679cb4f4ebd7ec1ba509d499ecf

SHA256
0a00345540052f5fff83730db9204fec6621345c60b936cdc3e979a945104eaf

SHA512
c3354536801aa15124f3d3b98214e8b58084375516a14aa687d258b62ab837c4711379c4abdbd4dcb2834f70d7984698582d812a70567d140cdc07c6a08d1ebd

Download Submit
memory/1440-12-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1440-14-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5112-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/5112-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5112-13-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download