d41f4febe7b043c7388dd2ecc4a4637fb56d7a4ca79acbf46b3cf9bce08ae52a

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c770f82ae0eaf582bef7e43003838252_JaffaCakes118.exe
Size

138KB
MD5

c770f82ae0eaf582bef7e43003838252
SHA1

67c9b7cd17498d7c2382f4acff037d484dae638e
SHA256

d41f4febe7b043c7388dd2ecc4a4637fb56d7a4ca79acbf46b3cf9bce08ae52a
SHA512

05e1ca35d5bfc15626e5b27800119dc5f39a5ef492a29cb8d40aff5f575e70995cbc855a6619d94114b6b2865e8bc3389f281244761b470ea17871044f7c8f07
SSDEEP

3072:BF3jOgqTivf2ZVBwMyn4B0UCwOXAehp6sTKDWzlg0tlVGDnUsW:fjODTivf263n4bCZAehIsGYlgBvW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2724	BridgeWeb.exe

Loads dropped DLL 1 IoCs

pid	Process
1944	c770f82ae0eaf582bef7e43003838252_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c770f82ae0eaf582bef7e43003838252_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2724	1944	c770f82ae0eaf582bef7e43003838252_JaffaCakes118.exe	29
PID 1944 wrote to memory of 2724	1944	c770f82ae0eaf582bef7e43003838252_JaffaCakes118.exe	29
PID 1944 wrote to memory of 2724	1944	c770f82ae0eaf582bef7e43003838252_JaffaCakes118.exe	29
PID 1944 wrote to memory of 2724	1944	c770f82ae0eaf582bef7e43003838252_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\c770f82ae0eaf582bef7e43003838252_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c770f82ae0eaf582bef7e43003838252_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\7zS1C09.tmp\BridgeWeb.exe
  .\BridgeWeb.exe
  2⤵
  - Executes dropped EXE
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS1C09.tmp\BridgeWeb.xml

Filesize
435B

MD5
db0feb07d3c199a7c6647f1f64730e1e

SHA1
78a1ec5c1af44a750770f714cf14f8255e1f8730

SHA256
42e186b4c97abb98a5ef56176dae2916d5ebcb447c028e037e00f6e815de818a

SHA512
8dd7967fa7b1d2b259d11f6a662ecf392a400154e206efd869893f30983927fa05eae253fbbbc102f833601b0a50e8a52b0bcb46c5bcd86b503b1f86672d70fd

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1C09.tmp\BridgeWeb.exe

Filesize
18KB

MD5
4a09f070ad0031ec94e49de22d0c0708

SHA1
7052a6f64ead26260c998b537351840d62b528fa

SHA256
1288fcf74849d81980fa66dccb188be4ec091abbc7b6ad74301856bf72137c34

SHA512
360c842b51fc1765291288a6a5f03fd7f8061b0d4b74bad6f8a336df03e3335ab575a4b23c6f76d92a16a1f0ee928d2c94ea5b0739884d6ca96a7e00bb475ce5

Download Submit
memory/2724-10-0x000007FEF5A2E000-0x000007FEF5A2F000-memory.dmp

Filesize
4KB

Download
memory/2724-11-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-12-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-14-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-15-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Filesize
9.6MB

Download