2e36e49186a168a858d88f5e66d6a00766c3d238d508dc098cf8654e81a01d89

Analysis

max time kernel
136s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe
Size

389KB
MD5

bd80b86269b8ffbf3f06f64e973be02b
SHA1

d3bd5417268685b093a056a79d872c443a5cb1ee
SHA256

2e36e49186a168a858d88f5e66d6a00766c3d238d508dc098cf8654e81a01d89
SHA512

55028bfc92fd1d0965a72860ad84a2f2d8c3933feec2f97ea1a429e2ff5c5af93d6aaf756c9430a1cf25b38f69829a27f59cbf20d04d15597f06bde9d2a4b0a2
SSDEEP

6144:ur1ROgMveKPoTilIk1XRghbzkK5U+eKHXDdb6wFnZQTkIPP0y7Xx3tXxRQx:u+g/Tk/ufkK5UcHNLJ+TpPseh14

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4884	tslmtl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lthjsg = "\"c:\\windows\\system32\\es-mx\\tslmtl.exe\""	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\es-mx\tslmtl.exe	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\7cbf9803.log	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tslmtl.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4716	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe
4716	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4716	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe
4884	tslmtl.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 4884	4716	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe	98
PID 4716 wrote to memory of 4884	4716	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe	98
PID 4716 wrote to memory of 4884	4716	bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd80b86269b8ffbf3f06f64e973be02b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716
- C:\windows\SysWOW64\es-mx\tslmtl.exe
  "C:\windows\system32\es-mx\tslmtl.exe" /i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\7cbf9803.log

Filesize
96B

MD5
54a7219b07b02e770e828c0cde72e32c

SHA1
281a4dbfe114707ab58d620bc11b05f5df7dbfab

SHA256
c5c27f6daa6478f64465f08ed9f4cddf27357d8b68d8aa02ead0704ba7fdfe08

SHA512
716cd20d616efaf7d6a3e32d2c066c28fb92e731cbe999679a0f15832fed5bad3024e9f699fd8fc0903fd4982a9665ebf377c202ab45a0dc0b8c9122d0e6ca22

Download Submit
C:\Windows\SysWOW64\es-MX\tslmtl.exe

Filesize
389KB

MD5
bd80b86269b8ffbf3f06f64e973be02b

SHA1
d3bd5417268685b093a056a79d872c443a5cb1ee

SHA256
2e36e49186a168a858d88f5e66d6a00766c3d238d508dc098cf8654e81a01d89

SHA512
55028bfc92fd1d0965a72860ad84a2f2d8c3933feec2f97ea1a429e2ff5c5af93d6aaf756c9430a1cf25b38f69829a27f59cbf20d04d15597f06bde9d2a4b0a2

Download Submit
memory/4716-0-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4716-1-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4716-4-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4716-26-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4884-19-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download