772f0b88b537d68301356ef751d993c9765959f8078e64066567379c0f995493

Analysis

max time kernel
31s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

d1d5b2ac96726db7d87169b880625030_JaffaCakes118.exe
Size

886KB
MD5

d1d5b2ac96726db7d87169b880625030
SHA1

058f05bb271d489119c1c116a235b5d1690c51ed
SHA256

772f0b88b537d68301356ef751d993c9765959f8078e64066567379c0f995493
SHA512

f2f6588258173dd34716b4c2a7fe14bde4a1d769b5438c8b528111ff59ca7a22bed5196c93724938211feb230e8904ba27f6d1450fa0ea8ffc6ac07ac1b80f21
SSDEEP

12288:byIF9MHlx+dIHIwqW/Jir1i5zvaYyOoQYXMMuSvSjNN1elH8z5EBZDgt3nIMacbh:byI7ML2PW/kr8Q3QYXzuU0LtED8ro19s

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	d1d5b2ac96726db7d87169b880625030_JaffaCakes118.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1d5b2ac96726db7d87169b880625030_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1d5b2ac96726db7d87169b880625030_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2828	2768	d1d5b2ac96726db7d87169b880625030_JaffaCakes118.exe	83
PID 2768 wrote to memory of 2828	2768	d1d5b2ac96726db7d87169b880625030_JaffaCakes118.exe	83
PID 2768 wrote to memory of 2828	2768	d1d5b2ac96726db7d87169b880625030_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\d1d5b2ac96726db7d87169b880625030_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1d5b2ac96726db7d87169b880625030_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\is-CJ4LE.tmp\d1d5b2ac96726db7d87169b880625030_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CJ4LE.tmp\d1d5b2ac96726db7d87169b880625030_JaffaCakes118.tmp" /SL5="$C0042,650973,62464,C:\Users\Admin\AppData\Local\Temp\d1d5b2ac96726db7d87169b880625030_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-CJ4LE.tmp\d1d5b2ac96726db7d87169b880625030_JaffaCakes118.tmp

Filesize
706KB

MD5
8ea3e88f14b2fd9430cd003c1fdd6a87

SHA1
b201a845298fe6a20f9552e7346262b650ad5eff

SHA256
7912436d839bdbd62b97e11d968210c33bfff6c06908d23cfac31be75546d01f

SHA512
a437c46cb2005981107af78f660d91343476bb8cd0264e783f1058af3954c42a28cecf73726e4fd6a5e116d9f5ded5d3922c4c3e808f2b40070d7ec9ea19e3a5

Download Submit
memory/2768-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2768-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2768-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2828-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2828-9-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download