c589c5c31d4da03489af9ad2736e0695f2b7fa266faaad8048ead23e6a05a996

Analysis

max time kernel
143s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beff25fe68b167cc5e82983c480829a8_JaffaCakes118.exe
Size

1.9MB
MD5

beff25fe68b167cc5e82983c480829a8
SHA1

d9e29bbea848ab046d983c57a2982c26a79faf00
SHA256

c589c5c31d4da03489af9ad2736e0695f2b7fa266faaad8048ead23e6a05a996
SHA512

4ce78bc91d3cac3a5261bc6ad6fc08220208a0bc0e8e0d8f3f0fb5f8bfb6dbcce71ba5c95890f588103446d0e45eb01d6b63b693a802d1a6e53763e8c6c64911
SSDEEP

49152:Qoa1taC070d+ZOjJzxacwnAEDiUXO53YL75+Lf99Z:Qoa1taC0FZONzc/nAE+U+5W75+799Z

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3960	84DF.tmp

Executes dropped EXE 1 IoCs

pid	Process
3960	84DF.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beff25fe68b167cc5e82983c480829a8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84DF.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 3960	4784	beff25fe68b167cc5e82983c480829a8_JaffaCakes118.exe	87
PID 4784 wrote to memory of 3960	4784	beff25fe68b167cc5e82983c480829a8_JaffaCakes118.exe	87
PID 4784 wrote to memory of 3960	4784	beff25fe68b167cc5e82983c480829a8_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\beff25fe68b167cc5e82983c480829a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beff25fe68b167cc5e82983c480829a8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\84DF.tmp
  "C:\Users\Admin\AppData\Local\Temp\84DF.tmp" --splashC:\Users\Admin\AppData\Local\Temp\beff25fe68b167cc5e82983c480829a8_JaffaCakes118.exe 428D976B6EA331892C71B4A93F0DAEA1F3C7392A7F9F80F42F334637954ED4A57B73F9F9FACA409D71F2930D997672A60AA4D98B1DC34A43910A2EE9DCAEF1E1
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84DF.tmp

Filesize
1.9MB

MD5
0f723fbcf3b2f8709625180e0a4fdded

SHA1
4f0f60d80c9ffc75a18b1ed786f55519307afa30

SHA256
3d87a2408a0cd915aae6387068f3e249017f4db30808b50fd1a5eb211f9249a0

SHA512
711174b36454c36644f2c5389ff664173047f911f9db8173d60c8299a27c184caaa3ece6d25e40c24642573183391a9c538d67994b46aa74423a2422554d33f9

Download Submit
memory/3960-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4784-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download