374f94bc94a6eebc3f8784085f361a30a8caba2c2c60c84572cea8933c3f6e49

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe
Size

1.7MB
MD5

c1e63560dc0c632686e1c2f6fb40775a
SHA1

08eda0406a0383005ff7a60966e032afebe0d2ab
SHA256

374f94bc94a6eebc3f8784085f361a30a8caba2c2c60c84572cea8933c3f6e49
SHA512

f5d35dfab8fc78584187b21c63887530f57ff9025fce65059a4a004d3c1b490bbfb20fb39c3b23a7bcd70113ff90e5616c4c20bd349d686ec82f2ba74868f311
SSDEEP

24576:LUvxLsmtUuoX5382om3Cg/iDfPc/7tNETop2FmYaS0LtVOmvjkiSs9OfccyM4NQf:oJ7WuW5XgTK7th2jaSYtgySWNI4gF

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3112	wrar393.exe
4196	setup.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrar393.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3112	wrar393.exe
3112	wrar393.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3112	2280	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	93
PID 2280 wrote to memory of 3112	2280	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	93
PID 2280 wrote to memory of 3112	2280	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	93
PID 2280 wrote to memory of 4196	2280	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	94
PID 2280 wrote to memory of 4196	2280	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	94
PID 2280 wrote to memory of 4196	2280	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	94
PID 4196 wrote to memory of 208	4196	setup.exe	95
PID 4196 wrote to memory of 208	4196	setup.exe	95
PID 4196 wrote to memory of 208	4196	setup.exe	95
PID 208 wrote to memory of 396	208	cmd.exe	97
PID 208 wrote to memory of 396	208	cmd.exe	97
PID 208 wrote to memory of 396	208	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\ wrar393.exe
  "C:\Users\Admin\AppData\Local\Temp\ wrar393.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3112
- C:\Users\Admin\AppData\Local\Temp\ setup.exe
  "C:\Users\Admin\AppData\Local\Temp\ setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c at 00:22 C:\Windows\system32\cmd.exe /c del /F /Q "C:\Users\Admin\AppData\Local\Temp\ setup.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\at.exe
      at 00:22 C:\Windows\system32\cmd.exe /c del /F /Q "C:\Users\Admin\AppData\Local\Temp\ setup.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ setup.exe

Filesize
380KB

MD5
aa78e0ac5cb33a254fe18f516543ece5

SHA1
96aa657d4e85f42a2a783387224010f38b5268af

SHA256
647a0483cf74f4099112267004494809a8333165951f705c07978ab114e6d0e0

SHA512
3dd5ca02a410c263256b927d3f87ef768657bf482a9e0b237b599e26274ec9491f7b1a8c8e14ca450f00e89d177f8aa5f2e599201020b2d984c90497dab10ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ wrar393.exe

Filesize
1.3MB

MD5
b3b121ccac92a71152d3aa6a783927d4

SHA1
b51e3dcd8edaad1cb77550a9cfd6266c4925c630

SHA256
31c84f5d740eb7b497fcfd5e963123d0a1a94afe6edfd18cfc23b2d1234078fb

SHA512
e8f1308aed05f027eace8b0d6dd8a0e4d391748f822a6e665a4e46b88a9f2bf278d3b93c884bdf66b6c94be1223ec7d5ad60fd149a9e20b47b96c56a235cea39

Download Submit
memory/4196-8-0x0000000074282000-0x0000000074283000-memory.dmp

Filesize
4KB

Download
memory/4196-9-0x0000000074280000-0x0000000074831000-memory.dmp

Filesize
5.7MB

Download
memory/4196-10-0x0000000074280000-0x0000000074831000-memory.dmp

Filesize
5.7MB

Download
memory/4196-14-0x0000000074280000-0x0000000074831000-memory.dmp

Filesize
5.7MB

Download