593bcd5eb5601e52b7d042328e100ce71ed2128561e1f6ef6ae2cd7a49b9f835

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ddea76f9fcd8da85423aa166f9e23d_JaffaCakes118.exe
Size

521KB
MD5

b4ddea76f9fcd8da85423aa166f9e23d
SHA1

8e96031d2a8b0955a0a0f55209edd57952a2e2ee
SHA256

593bcd5eb5601e52b7d042328e100ce71ed2128561e1f6ef6ae2cd7a49b9f835
SHA512

3f21d655af0ca2b6542c57b9929fcf99fe3a994f50bbeaf0a3a62ca740edf4b9ab0a62b50a9898f6ca72e5f7766ddcd03a5ee4c2666dc49f378ffdbe9351b808
SSDEEP

12288:+ylIvHucpkHuX6J65ZBGpTDk/hUOtYyUmr9yr54:dOvHkH66aCg/hvUIyG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2980	stdrt.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	stdrt.exe
2980	stdrt.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4ddea76f9fcd8da85423aa166f9e23d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stdrt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2980	stdrt.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2980	stdrt.exe
2980	stdrt.exe
2980	stdrt.exe
4304	OpenWith.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 2980	4760	b4ddea76f9fcd8da85423aa166f9e23d_JaffaCakes118.exe	84
PID 4760 wrote to memory of 2980	4760	b4ddea76f9fcd8da85423aa166f9e23d_JaffaCakes118.exe	84
PID 4760 wrote to memory of 2980	4760	b4ddea76f9fcd8da85423aa166f9e23d_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\b4ddea76f9fcd8da85423aa166f9e23d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4ddea76f9fcd8da85423aa166f9e23d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\mrtB48B.tmp\stdrt.exe
  "C:\Users\Admin\AppData\Local\Temp\mrtB48B.tmp\stdrt.exe" /SF "C:\Users\Admin\AppData\Local\Temp\b4ddea76f9fcd8da85423aa166f9e23d_JaffaCakes118.exe" /SO94208
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrtB48B.tmp\KcActiveX.mfx

Filesize
288KB

MD5
15b3c3bed1181261e8c75f3a737c86a6

SHA1
16d55b62d9ac287eab04583d65f71a0753a61ae3

SHA256
af920de169c975d5ab9cb407a454c60723c7f6ca5d24ee0e229aae98b93d6aad

SHA512
5099044f9aac7364d2154ae6d17aa9fc1f3b8dd97a2a1806ff40323fbb3c41bc82c839551e3f04e5706ddcfb12743249e185af61f60146591c9c02430825c25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtB48B.tmp\MMFS2.dll

Filesize
296KB

MD5
fcdc7975ffb8a1c06d57e78910edc48c

SHA1
3e5d5d580ed6ae95d59d3794dd8e524002901aa2

SHA256
cf973b83ec737c5d9f98c0befec8bbf4f157bfab78388c86a4cbe2327ca91653

SHA512
8cd43b8edeef51a95d54e68d7dadc1c8f01de2c73d1dcfc0d81af4a5b381ea0fd4e05c41509283a6bbbb669af2809fce94546b6fa7eb044037fa0701ea54d194

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtB48B.tmp\stdrt.exe

Filesize
324KB

MD5
cc4113856c0bd5a1910f8cc5c37d6d78

SHA1
69621b8f1dfea6e7a0c759033984f0ae8319c118

SHA256
0457b7a73873892eeae4871f9eb8bd16ffc33e3d61b77e04c150ccbb11a1dcbf

SHA512
0692a5d220a6059da9be53251b7793a3c18af5e59d40390b7ba269e9344862e96f5e18cf56d33393dd7732495f382fdc8f55af83f81452dfd2ec20d058b60682

Download Submit