9f2400c583bf895751a988e1daa383932a0508273e27e76db89759c6ad0d3626

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
Size

232KB
MD5

b821af91801eb778f6ca1bdc67df042b
SHA1

3dd3ad700423bc0857df311ead7606b18857c5b4
SHA256

9f2400c583bf895751a988e1daa383932a0508273e27e76db89759c6ad0d3626
SHA512

b16b686502b3d32116c086563d6efcd1818a65d0a6b4ca8e95dceb6edcea99ed21ffdc46a31d2494c65016e2fbfb7819361f5f4c71462a8f0df346da08bb1d8f
SSDEEP

6144:7VdHl5i0Mm6aQc6UeI77KVgS/wnjhHFpG4b3y:7VdR16TBUJKVgk4jhGmy

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 652	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	84
PID 1140 wrote to memory of 652	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	84
PID 1140 wrote to memory of 652	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	84
PID 1140 wrote to memory of 3076	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	89
PID 1140 wrote to memory of 3076	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	89
PID 1140 wrote to memory of 3076	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	89
PID 1140 wrote to memory of 3632	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	90
PID 1140 wrote to memory of 3632	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	90
PID 1140 wrote to memory of 3632	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	90
PID 1140 wrote to memory of 4140	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	92
PID 1140 wrote to memory of 4140	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	92
PID 1140 wrote to memory of 4140	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	92
PID 1140 wrote to memory of 2992	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	93
PID 1140 wrote to memory of 2992	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	93
PID 1140 wrote to memory of 2992	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	93
PID 1140 wrote to memory of 4256	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	94
PID 1140 wrote to memory of 4256	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	94
PID 1140 wrote to memory of 4256	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	94
PID 1140 wrote to memory of 4444	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	95
PID 1140 wrote to memory of 4444	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	95
PID 1140 wrote to memory of 4444	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	95
PID 1140 wrote to memory of 4816	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	96
PID 1140 wrote to memory of 4816	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	96
PID 1140 wrote to memory of 4816	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	96
PID 1140 wrote to memory of 4856	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	97
PID 1140 wrote to memory of 4856	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	97
PID 1140 wrote to memory of 4856	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	97
PID 1140 wrote to memory of 3244	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	99
PID 1140 wrote to memory of 3244	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	99
PID 1140 wrote to memory of 3244	1140	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:652
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3076
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin6FB9.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4140
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinB432.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4256
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin6ADE.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4444
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinACB9.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin79A0.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\BFCABAC5\cfg\1.ini

Filesize
10KB

MD5
5ecd0a1c0993a62ff81ec1b2e25906f2

SHA1
2f16403b0e33ab0e95b118e1055e62021273e62d

SHA256
512bce7a3c222e34851ec2065ec8e3f1334ed70538a27457dc6504c6994e3df9

SHA512
1b2eb0d86fb8530d7e7aac25c799f09a9205dbd1a2936500ef99771bd69c9f94414bc83bfbf0d74ab0e1d987ad859c2515180cfc034d9ccc85d4a1878aa995c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFCABAC5\Setup.exe

Filesize
15KB

MD5
39e03e22e2c5cb67a7a750805de9435a

SHA1
50a3ff79f3815f58c8f2bb918fe156037a892387

SHA256
7d471a8df92de59217c60f1d1b2882fb04eadb44cf2dd313bba3c7e4d39678b4

SHA512
c7944d56f70190b3e6417f8923c844308d4840954afd613320c497170d87aa1300dc65472926c8691a242aa7fafbbdb3f2357ec178b340789f92245bb00dfff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFCABAC5\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFCABAC5\_Setup.dll

Filesize
146KB

MD5
a3f3a3b608f9a6d604730cb689dc23c6

SHA1
67dbeb74940250916e0592e596aa492c09694f74

SHA256
4020fabec983278cb2f9b1eaa17cd9466bbdbd0842a35182e34ecd302ae9d342

SHA512
beb0ad1f1b2530366dbc366a642d27965d7e851055086d7c302612eae88d19a501d46c66737c8ee4d0d0c2915d9768cd4d2f1b8e5347bcc3480facdb73484c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFCABAC5\_Setupx.dll

Filesize
16KB

MD5
f17dce858db6f84c1c149f8aebb1ce58

SHA1
e54f8c536dd66610d0678a3532c4f8834b01abe6

SHA256
f32c9be19334ec4a212d173f43e3a97e08434000ff7cef8584afbf72e05ba845

SHA512
c08f9efb7a3514c7829d7c9bd0ef384bbe038e695021a089b354eab6e9c13408fab31a01f502013c27c1a50e2e223ad3c33f4ed7424498b4077091c0044b7ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu-0474.dll

Filesize
245KB

MD5
8c7a58965b71c9dfbf1a14d3369a2620

SHA1
26380249b9bdf1ab864b1c8fa4d01e4c28ba9b5c

SHA256
f94e3692cf74256ef5f9df081592603e5b3aac4490ce39cf88363c5f24fa5aa7

SHA512
97302e9a0f53fb7239c92049d61d65be2958de3d674cdc25fb2ac10424814930e982278d6d6e8df2e270116a5a1b7d1cfea14250aea99191f3efd571357c7023

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat

Filesize
44B

MD5
dce39f037d259610f300ecaab636b5c9

SHA1
26ebba14cbfe5b704633f417e467ecdf2c8c9d68

SHA256
0cc82832933412f9485b63298f2938a25f6a3d4bfb4c174df360fac92469a17f

SHA512
cc808305992211e48af76deb27664ee1fb26b31bdc237c2301e9a8d89779c20350ab1a11f467c75c3ba90309c84dec1bfa3f9fd8022c3aee85aefe1fd9b2f7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6ADE.vbs

Filesize
819B

MD5
be2c5cb2df4adaad822c79253b0c0a99

SHA1
d77c6abb7a36c5ee7b6c9fab61f9d5c9b5a39405

SHA256
aa3a64db11a0b10c2138f76d2682ca7f15ed28026b7cb8f46ef43f5e3d2c68ba

SHA512
42dc34b9985a6fb5e1a29e7fc9998522a6def504f625575df3376f0aa4a0a2dcfa71932e5d695629e6b2c073bf6948101bf1b37597d4c3eb57f6f74a849fe24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6FB9.vbs

Filesize
1KB

MD5
9a9fe33d6ab7b72f20d3f527bcf65d77

SHA1
42ed279fbb906dd2266f338cd3a7b7ab09c6a8c1

SHA256
a6dbe61ab8642b5704ee2dac1e4eeffdb0d5ca020ad9708be8cbd608d895b3d8

SHA512
f8793b65190992d38ee5e87c16691649bf32babc47e27f01b5e4fa59c1ad577d9a057d7723a29620025f9d34dc4b0d0f6aef5bd6724bbc9abfa6e790673d93a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin79A0.bat

Filesize
46B

MD5
ee88105f41af6d2033cc6260557b2075

SHA1
d4cbbb224e0505747b09e61eff58eb351772db65

SHA256
78e2750eb21e422cb66742ef7249e588c7f44ba8e61ecc8a4082f6c2569c1062

SHA512
0d576b2d375237c2c4f4c1cc9df42b6bcdb547db9dd1d239bd12c457997465f9385d37fee93ae81f2826b6456efa2b58a088473d15a38f03ecd1a864970f3e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs

Filesize
2KB

MD5
c351b265943887aeeaa7107e2eb42cfd

SHA1
259a3ce743cd68113067d6724cc33e9a8c259f0e

SHA256
43893ea5c209e868a1c378bd83dac016b0a2538fc141765175e429d19ff22e3c

SHA512
7daefde238283f2f0931de8fabcc7475fd6ca86ec2ad7b00bb111f34d1148c254e8ce1b8e9bce273a5c9d36ed0425c015944abda9b39fc9fbb908206a29eb5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinACB9.bat

Filesize
50B

MD5
025845a297c86694a92c986fd5138063

SHA1
9d99aaea0c4e1d861fb99eec763ff0c2d49d1a39

SHA256
0742a556a7bd1190f86724a5ca7218115c9623f48ab4fbc4edebaf955f160a63

SHA512
4992c4124c0833e502b413ace55a95012d23b8f12c495af3a2b5291faba846c06225a62a277401642547e75512912d42aaa8123c57ced108c17e2937cc04d3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinB432.vbs

Filesize
419B

MD5
3018e007343612abc7c7ba79d702e891

SHA1
229e37be962fbb8b847093995acd446063164193

SHA256
dc8ed4e7f31a1a7dca203230ee5d5b4d057d696a49513d3aa1dfc51ff3b6f688

SHA512
0fb37e510e3f9c8097d3445b6719bbfc9561d531dac821e24211d881cd3c9e9bcbac7ceec410a2dd5091c563e8b3f1e7254989f9a79b01b403c89b4872d75199

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs

Filesize
304B

MD5
88e71d4721a85056573dc06a05d2e758

SHA1
098c4de1a9f5ae31c475aead205533764c9c3d29

SHA256
8df815ee2410caca428516a8c5fb29d1b936dc5c4351e4a87d60b502102638e5

SHA512
496fb52cbfbf57f363c3525d3818b216bd08cc44b1e7b0c634b7ea1dd8bfda925842b6e5f998bced21c0a3231e1c5e02d9b14f114c6486a0d0253dd70139987f

Download Submit