8e5ad39525bb4728e954bf3708634312e15dece8c35e08f208998495c7867342

Analysis

max time kernel
135s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6edd1fdabcfae83758b42615d0391f6_JaffaCakes118.exe
Size

1.6MB
MD5

b6edd1fdabcfae83758b42615d0391f6
SHA1

805cab25a87d89d14dc193d46ceee84158814dd4
SHA256

8e5ad39525bb4728e954bf3708634312e15dece8c35e08f208998495c7867342
SHA512

278f1052a2f58e9e1b66be155b06c11acb52aed7c6ad162eb77bc3c70917f8c2499b393c30e0712e747e10d2d327fd2328b98b0abb4eb2582977209dfdfdf577
SSDEEP

24576:6Bb5ta7ShseSshw9C0nsMFw/NtE4oUs09Pt5g6fMXWSTUYTl/qNtJfVZUHUQQU:2bTaSh0nxstLtT5EXfUYTNq/JI0Q5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1144	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6edd1fdabcfae83758b42615d0391f6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1144	irsetup.exe
1144	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 1144	4040	b6edd1fdabcfae83758b42615d0391f6_JaffaCakes118.exe	84
PID 4040 wrote to memory of 1144	4040	b6edd1fdabcfae83758b42615d0391f6_JaffaCakes118.exe	84
PID 4040 wrote to memory of 1144	4040	b6edd1fdabcfae83758b42615d0391f6_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\b6edd1fdabcfae83758b42615d0391f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6edd1fdabcfae83758b42615d0391f6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
7KB

MD5
2414b0b43387e28dba8cbd0964b1617c

SHA1
8dbd9997015a782101167e4c460ea0f3bf5568e1

SHA256
f0a0df5fdd76c46560371790798ccc1ec0425faad3a7db49e9d2ab51a629ea3b

SHA512
a4f058fa125708199cf11f5a961896b67e9c3df038bd57de27e99c03d257f294bcb4b1229487827fa97feda5e44c830ec35e82e5a569f3fbb63a8a3584dc2383

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
7KB

MD5
e29a24e189e95681bb41f73c16747fd8

SHA1
e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a

SHA256
3973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09

SHA512
4c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
11KB

MD5
09c591e90628b092090c5ba410f6d353

SHA1
8ccf6fb48ff939e64f18baa1c0ca8b1d730d9e5c

SHA256
78631c294689ab8e864c5dcba57e50cb7abc253cf80ffcbb481b5c12be27fc50

SHA512
dac5f6bd2225321602c78c65ae4ddf563cb9a01faef9ba094de2e5d840097df111f9e36621b657523888d0f986517512860ba8a9c34c30bc4e04e8235be74669

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
704KB

MD5
6f20d65c5af232700ddf7b3206d9c870

SHA1
527a7e3525dd9b0f3f6e0d508702e6816311b255

SHA256
593ad36de23204385eeadfe318972c2e9f01275e59fd00342ad5892be0b2c6b0

SHA512
3f038a87dc644994c68b1c2596aa499fc128a18bcab74766c81ea2bc6d5a86511a810af2700e87bfe85b28fe792a51795b4014a2145c01b122ca869a577538e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
119B

MD5
4a35c18f51c267a3e6e2f34100446c8c

SHA1
a9f947c7f43e33b7b23e2e997e608aafd31efe37

SHA256
ee6b1f23b378746721d15c0a9f6949e576acb315ed802f65c62e6baad92b3a69

SHA512
d3cfbf24d8672dc827a7fd8d85251c3ff71aa728bfe233db375085add03aa5e5a2ae242237873a01918bb5b8681e55ac7760080d1fa5fbfd26340b149a8f1756

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.4

Filesize
12KB

MD5
5930543afe37917c8e447635310009d5

SHA1
b012ad5d21489c97e2fdb27728e808200fceef07

SHA256
a084e98c6807381e118d47c1c65c591361f4159d87b3b4386ed347ca60c890a5

SHA512
073080d3233d21936fc8ddafd06bcde8eb15913577b1a7015cbdb3a8af13c7678e65f1afa2036e2fb59eebec55f8fbf025958d8490d13dea05a093534a4aff9b

Download Submit