88e86e10e5fd5094b91a24dde3f5c14a56a1e31d4a285fed9f1285a011168dd5

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.exe
Size

1.5MB
MD5

bb718b0fd18db17017e35f05720fecbd
SHA1

08e8bd18213afc52d19abcb7aa3a995049ce4c9e
SHA256

88e86e10e5fd5094b91a24dde3f5c14a56a1e31d4a285fed9f1285a011168dd5
SHA512

3f7178ec011dc9cc4ffcedb23adadd0e7dc338500791189bda26ab2ca87cad690e3dce8803675a7ab7fb6e74a6675183e658d5606871fa2996bd4625bccaf3e4
SSDEEP

24576:pnagNnEQOs72LvLa8O/0mgw5XfS2AEkGd41xVxv8lJZ3rG3SICJfl0P9x56ctYX:pakEQLoNwRCW0xvaJVKSIMd0DtYX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4796	bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4796	4752	bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.exe	84
PID 4752 wrote to memory of 4796	4752	bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.exe	84
PID 4752 wrote to memory of 4796	4752	bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\is-9OPKV.tmp\bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9OPKV.tmp\bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.tmp" /SL5="$901E6,1273777,132096,C:\Users\Admin\AppData\Local\Temp\bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9OPKV.tmp\bb718b0fd18db17017e35f05720fecbd_JaffaCakes118.tmp

Filesize
764KB

MD5
6c1d9ee1291bf4ee24325015453dac75

SHA1
5122278d07ff11e71b0a8da84d64aa72186f8758

SHA256
5a830c8ee3bdb7345788275ebc7e7f0153a92cac13059d37d6680199d8f935aa

SHA512
ad95d63a04bd9ee10b271833af3fb26e5404ecd32b4e6d9c3237a0f822fcd596673f5716d7511f4e69b12653fd9d3abfe35b01b53b7634a4a89452bda211f24b

Download Submit
memory/4752-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4752-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4752-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4796-7-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4796-16-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download