e479679c63286ff4e25c19f6145fa512b807e80081f47823cb9c6eaf83c5b963

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b32d324c810102d98103ae0c8a220609_JaffaCakes118.exe
Size

1.7MB
MD5

b32d324c810102d98103ae0c8a220609
SHA1

eff132c1ec48a2be5b4fe8a7b3017242825b4ff9
SHA256

e479679c63286ff4e25c19f6145fa512b807e80081f47823cb9c6eaf83c5b963
SHA512

4b50fcdd270980e5916864bbc46e154362d1948c720c8b2611310527ad05b44435e1d46d217b6d3af673f2d45d54e547d0fb8b0bf9faa307bb81ca7ec62e216b
SSDEEP

49152:kGAnLQ2BMhK5t/MH1qXxUZWsRtd7j8UV5flcQrQypfOmPeaxtJWng:ZUOE5y1qWZvtlj8Y5flcQxFOAeaJWng

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
772	is-2TSAN.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b32d324c810102d98103ae0c8a220609_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-2TSAN.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 772	1100	b32d324c810102d98103ae0c8a220609_JaffaCakes118.exe	84
PID 1100 wrote to memory of 772	1100	b32d324c810102d98103ae0c8a220609_JaffaCakes118.exe	84
PID 1100 wrote to memory of 772	1100	b32d324c810102d98103ae0c8a220609_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\b32d324c810102d98103ae0c8a220609_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b32d324c810102d98103ae0c8a220609_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\is-R5SPI.tmp\is-2TSAN.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R5SPI.tmp\is-2TSAN.tmp" /SL4 $A0032 "C:\Users\Admin\AppData\Local\Temp\b32d324c810102d98103ae0c8a220609_JaffaCakes118.exe" 1571217 55808
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-R5SPI.tmp\is-2TSAN.tmp

Filesize
655KB

MD5
5a3d7d866f2a1fb883186b6f96ba2fc7

SHA1
0f0bd984317c357242c2dc093c6b422d7f8e72d7

SHA256
5d1d47474d2c69a1e85cfe50b85843b1b12a14b19f11e5126112968cfc3bba1d

SHA512
e62b50020979fc9fca3fb867b1f3d4072bb1fcf1e018c44a0097bc9393f02984297008d8c93569614bad1b56ce062f2b7450da1e0b3d06adc8bb2435cd8e0aeb

Download Submit
memory/772-12-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/772-14-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1100-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/1100-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1100-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download