f9dc42a361f6fe842e487e0eb97d221669d943f7e386a46dce68d9045356674e

Analysis

max time kernel
134s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3d5571f73f40bf4a51241fd90de6c5e_JaffaCakes118.exe
Size

11KB
MD5

b3d5571f73f40bf4a51241fd90de6c5e
SHA1

903ff9b58405892c905529762c3e8cd2fe74c7dc
SHA256

f9dc42a361f6fe842e487e0eb97d221669d943f7e386a46dce68d9045356674e
SHA512

8950199fd466a105a4ecbd4958edf2b3e5db4d97e461160a76b65d5aa90f6178c40bbbde7839d67a915a70f99140f11fb624b40ff14f4b8b85e2fa32bea9fd7d
SSDEEP

192:zv9u1SO121Z7PKoHNBLGAEnDa18+0Ypg4NQ8Rgm0O3+vFaNJhLkwcud2DH9VwGfT:zvLOOioHPqAoGS+E4NQggcgaNJawcudu

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4540	A911.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4792-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/4792-9-0x0000000000400000-0x000000000040C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3d5571f73f40bf4a51241fd90de6c5e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A911.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 4540	4792	b3d5571f73f40bf4a51241fd90de6c5e_JaffaCakes118.exe	84
PID 4792 wrote to memory of 4540	4792	b3d5571f73f40bf4a51241fd90de6c5e_JaffaCakes118.exe	84
PID 4792 wrote to memory of 4540	4792	b3d5571f73f40bf4a51241fd90de6c5e_JaffaCakes118.exe	84
PID 4540 wrote to memory of 3900	4540	A911.tmp	85
PID 4540 wrote to memory of 3900	4540	A911.tmp	85
PID 4540 wrote to memory of 3900	4540	A911.tmp	85

C:\Users\Admin\AppData\Local\Temp\b3d5571f73f40bf4a51241fd90de6c5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3d5571f73f40bf4a51241fd90de6c5e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\A911.tmp
  C:\Users\Admin\AppData\Local\Temp\A911.tmp C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A911.tmp

Filesize
16KB

MD5
d3aa34535708578e38a91e6c1c23e092

SHA1
59b653a4e09e28c6bc6b80eaa2372ff7d3f91a39

SHA256
6dfcf0e6fa9bdf38de81dd93c4a2a372e46fecc9ccd7b4b31df5e1e8c77d1e2e

SHA512
275e303cd015de5c022dce4d7be156f23204f4f128e51b8482ab4a8fcaa0b386759dd42be1dde78fbbf3dc843c66d83456a60d4f2e528e6f44be89c9143f6051

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
3KB

MD5
a432cb03d66fb1003602ed3f629c30b5

SHA1
d08edd307051fb0547f8a08a31610d0c1569fbe5

SHA256
2f2307c29b917bb543fbb884590bf305b95a7f0adbc7cab263dac2ff5001d98c

SHA512
e451d03e4fd9bb3b59fa8e835679bb055d25bfd8423dfe53f17e342be4c1909a02c15683dee17b074ac1721a738007b5bd0825f0d06ea50190ae363e94607e4d

Download Submit
memory/4540-4-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4540-11-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4792-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4792-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download