ab38b562c9e0eaafda3eb3bf80b620355a76d38e2bf282e706466149cab8e27b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b24f472ea0160c47d8fa64b0fa18942b_JaffaCakes118.dll
Size

568KB
MD5

b24f472ea0160c47d8fa64b0fa18942b
SHA1

d15089cb12055ff9fb053a0313f48408aa3e3e29
SHA256

ab38b562c9e0eaafda3eb3bf80b620355a76d38e2bf282e706466149cab8e27b
SHA512

549d0f6fedfb1716ea5b5f846a8b234fcae40e8ec6be1de83f9f4ff54d415a159a819408008cc92987715479d1e7c28acd1a158e700ffaaae8a89d4e8a9cf2b7
SSDEEP

12288:zwipBPtfGbOqctilAGv/I/ySFsiubQ8ZBPuDqJgUk5f7Dk6r1drT:zFfGbOx4R/I6SFms8ZpZGxtk6rrv

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3068	3044	rundll32.exe	30
PID 3044 wrote to memory of 3068	3044	rundll32.exe	30
PID 3044 wrote to memory of 3068	3044	rundll32.exe	30
PID 3044 wrote to memory of 3068	3044	rundll32.exe	30
PID 3044 wrote to memory of 3068	3044	rundll32.exe	30
PID 3044 wrote to memory of 3068	3044	rundll32.exe	30
PID 3044 wrote to memory of 3068	3044	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b24f472ea0160c47d8fa64b0fa18942b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b24f472ea0160c47d8fa64b0fa18942b_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3068-0-0x0000000000170000-0x00000000001F1000-memory.dmp

Filesize
516KB

Download