1a090728733fec9f2026d8f3f9232c2f9037ab81b4b88fea26fbe44f5380afba

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe
Size

116KB
MD5

b2070c21fbeaf080cd173001679388b3
SHA1

c84ee2f9448285ff5553083773a2514b3117fa85
SHA256

1a090728733fec9f2026d8f3f9232c2f9037ab81b4b88fea26fbe44f5380afba
SHA512

168a0a1984ca1aefd3902f0c1651bf574fe2503af45eb0166aea818aa47406681dc8fa12fa38a2563b4b65b1c78eaebc393ededa7b5e3f0af867f7c6eb05f440
SSDEEP

3072:98RTVXDNJqxSA5HDc3I3nNoOsRXurRUQzj+50/U:SZRcx5VMpOKXur2Qf+50

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1752	Lsapea.exe
176380	Lsapea.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Lsapea.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Lsapea.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe
File created	C:\Windows\Lsapea.exe	b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe
File opened for modification	C:\Windows\Lsapea.exe	b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Lsapea.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Lsapea.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lsapea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lsapea.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	Lsapea.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\International	Lsapea.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe
1752	Lsapea.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 1752	3128	b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe	94
PID 3128 wrote to memory of 1752	3128	b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe	94
PID 3128 wrote to memory of 1752	3128	b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2070c21fbeaf080cd173001679388b3_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\Lsapea.exe
  C:\Windows\Lsapea.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:8
1⤵
PID:6156

C:\Windows\Lsapea.exe
C:\Windows\Lsapea.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:176380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
cd1075d848a5e0142bd3b5d66726041c

SHA1
7454695e25d304c65d0c1333d8008e862569cae9

SHA256
3089c464221340fed4229d6ba913a04224c91b44158c22163e8849eb7dcc4878

SHA512
aa2e001ec1993ed9f1ce2722bcadccb723cb9019f650a1002e2770f5fe1422ca5225f9a1342cb4541bc1a08ed348f07e362069a247bc1d9267f25a8ff3fc642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
C:\Windows\Lsapea.exe

Filesize
116KB

MD5
b2070c21fbeaf080cd173001679388b3

SHA1
c84ee2f9448285ff5553083773a2514b3117fa85

SHA256
1a090728733fec9f2026d8f3f9232c2f9037ab81b4b88fea26fbe44f5380afba

SHA512
168a0a1984ca1aefd3902f0c1651bf574fe2503af45eb0166aea818aa47406681dc8fa12fa38a2563b4b65b1c78eaebc393ededa7b5e3f0af867f7c6eb05f440

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
390B

MD5
8521de7f8f672e9da6ae96c91aa61f95

SHA1
bff06ecdf52e0a817e9fd35e6402de3fbd5fbb33

SHA256
a6566252a459359b1db84bd5bf61dbe87ee906eec97457d864f21597a62b42f5

SHA512
d6c5122e3b34d3591acb153d779258b7d3104045a8f662bfc32c9b2b62252bc681c5b8c0590f23d572b5f0b5dae480bbc51cfbf42fca9fc89b1c5ff73968bf75

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
264B

MD5
9c60646f679f0f52c199c8f9640fd716

SHA1
b62b4d84afa5e824878f383a76c8a7bba118d74b

SHA256
7d1e04c32cbdc102c328a0bf1a2c9d27077c6125f7f09fc5724ff1863bfd0122

SHA512
f77696b47be6ea1436cb879ee3a57c2f271fe22ab6b0be2e8b743c210caada86c59000bca9fe65ae95e528da2558be0ae9fa3642bb245b5b8b9557f0552de7b2

Download Submit
memory/1752-135468-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1752-20386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1752-135469-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1752-135471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1752-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1752-135484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3128-20405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3128-1-0x0000000002220000-0x0000000002243000-memory.dmp

Filesize
140KB

Download
memory/3128-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/176380-135476-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/176380-135477-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/176380-135481-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download