f24e66908944c5a58ff7b5fe5a01382e0f62df512ee6a89a01f10faf7db0717d

Analysis

max time kernel
140s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe
Size

2.4MB
MD5

b84a8b9d59b5cc2c25d03803491849ef
SHA1

7a2c5b6c6f14b777dc87c264fa98b0dbfd58ef62
SHA256

f24e66908944c5a58ff7b5fe5a01382e0f62df512ee6a89a01f10faf7db0717d
SHA512

8dc75d041d29cb69a694af3d42fc40e2ca3a749f4b2ef647f7aa8bdc583f860e4eed4ebbdb8cc8213c8910972fe9a5cfa59f47ee1a12e66edea250c93ce3d10d
SSDEEP

49152:A2HBwCQXwzI1cqd6QPCYlDcFgc+6n3NeBWwDz6MGbsV0pl5Z43H6S0p1cDQU:tHBwCQXwzj6PCYmE6ndeBWw/GbXTZ4XX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2164	Stp6C23_TMP.EXE
4104	Stp6C23_TMP.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stp6C23_TMP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stp6C23_TMP.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 2164	3168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe	91
PID 3168 wrote to memory of 2164	3168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe	91
PID 3168 wrote to memory of 2164	3168	b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe	91
PID 2164 wrote to memory of 4104	2164	Stp6C23_TMP.EXE	92
PID 2164 wrote to memory of 4104	2164	Stp6C23_TMP.EXE	92
PID 2164 wrote to memory of 4104	2164	Stp6C23_TMP.EXE	92

C:\Users\Admin\AppData\Local\Temp\b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b84a8b9d59b5cc2c25d03803491849ef_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Local\Temp\Stp6C23_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\Stp6C23_TMP.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\is-D0LSF.tmp\Stp6C23_TMP.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-D0LSF.tmp\Stp6C23_TMP.tmp" /SL5="$110064,2125009,57856,C:\Users\Admin\AppData\Local\Temp\Stp6C23_TMP.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stp6C23_TMP.EXE

Filesize
2.4MB

MD5
0ec72c8488e791bb81c0c6b5d9110795

SHA1
1b06b2fb2d4ba08abffd6c81d96553d45a45ff2d

SHA256
3e6839ba8331ee68fc68491741f79052761ccf8fdd034fedd6841b13bae1b33f

SHA512
987a031fb3314b1b6206a261b326b1af6c6083293572dc08907f8b38edb1a88588e78851b200a30228dbb369034636be7fe0260ab528fbc7c3f12963d7d26d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0LSF.tmp\Stp6C23_TMP.tmp

Filesize
673KB

MD5
275b13d10ac408c02a57197f34b46ef5

SHA1
731b477d1e9a871b948590aa627e6bd1278a6194

SHA256
58d28efddecb481f034b1d88ee6eba0e972b322a082947d52bcfb917665344c9

SHA512
906af975cfeaf7c246143858c977c70f7a1dacca83d2df06b9b9c280d7ffc5b913b0565e89aea68d138ae250e704cf669c6cef68465c72bb25f0c1d8de4ae44e

Download Submit
memory/2164-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2164-6-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2164-17-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4104-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4104-19-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download