979346bd1a4d62e7c1bf822a7ec539d56e4c5ef7d33f44f6466af291ff19671e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8c716550c4d697fe136dc183080f8fb_JaffaCakes118.exe
Size

47KB
MD5

c8c716550c4d697fe136dc183080f8fb
SHA1

8a6f1498546106f4125f2b15a619a31d55c697d7
SHA256

979346bd1a4d62e7c1bf822a7ec539d56e4c5ef7d33f44f6466af291ff19671e
SHA512

cfee8b137d40de8c596b8498b4c5f93383a1c0977ddda999d23c2b5673b0640b20ee0c8228205dca705b6ad3c5591e83149aa84d045651c480eff5a3b8a869dd
SSDEEP

768:o9J8NowRheD8/3rJiUqyet8w9abyzS5E50kyoVonvnRiZljBwiwo5sW3yhz7v76a:o9wvQUreUbyzsB+2myhzT7hOn2

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8c716550c4d697fe136dc183080f8fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2296	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2188	3004	c8c716550c4d697fe136dc183080f8fb_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2188	3004	c8c716550c4d697fe136dc183080f8fb_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2188	3004	c8c716550c4d697fe136dc183080f8fb_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2188	3004	c8c716550c4d697fe136dc183080f8fb_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2296	2188	cmd.exe	33
PID 2188 wrote to memory of 2296	2188	cmd.exe	33
PID 2188 wrote to memory of 2296	2188	cmd.exe	33
PID 2188 wrote to memory of 2296	2188	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\c8c716550c4d697fe136dc183080f8fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8c716550c4d697fe136dc183080f8fb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~E12B.bat "C:\Users\Admin\AppData\Local\Temp\c8c716550c4d697fe136dc183080f8fb_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HWMonitor.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~E12B.bat

Filesize
58B

MD5
6d91e31855bd18a31e5292a7d312f4cf

SHA1
3f8d30775cc7852c288bb95dc40386e0372c90f6

SHA256
2f1451394cacafe87d8c71a7d7f5497789964a1ed1af0a644be6910b980aa1ff

SHA512
2dfd1981d259c145e3541fc257a2b4da78392d5e2fe55e9b691264c9d814a41651b4f4f04ebf8b2d3770a2597131a91190a0b7ae8124b6c80ba8ff382b9d2aeb

Download Submit
memory/3004-3-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download