5ce8527d9726daff13d43b78e90bc9e4ad3aa2a5e177761f38a9ca08d2282c4e

Analysis

max time kernel
94s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe
Size

250KB
MD5

d4c74b9f374676c4e56a6aa6d69b9a99
SHA1

00dab5e628286345f01feaaf788a80e54989872c
SHA256

5ce8527d9726daff13d43b78e90bc9e4ad3aa2a5e177761f38a9ca08d2282c4e
SHA512

b73a002b447f453638dbdedb24ccef8c91c0e5ae8b17a7500ad41131b0b3a4f6a934fcac9be58fd0e56037500d0ad6960f2635665f753f81d22d32699f6cbba0
SSDEEP

6144:EICaE6THsa3CWmXsMOUNHkF8ecPSQ+0v/uW:VU0sayx1mFxcPG0v/uW

Score

7^/10

discovery

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4844	5076	d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe	85
PID 5076 wrote to memory of 4844	5076	d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe	85
PID 5076 wrote to memory of 4844	5076	d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe	85
PID 4844 wrote to memory of 3796	4844	vbc.exe	88
PID 4844 wrote to memory of 3796	4844	vbc.exe	88
PID 4844 wrote to memory of 3796	4844	vbc.exe	88

C:\Users\Admin\AppData\Local\Temp\d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4c74b9f374676c4e56a6aa6d69b9a99_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ib-bclt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC9CE363E8449FE8DF6967BD1F2264.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2ib-bclt.0.vb

Filesize
764B

MD5
f73c46f315242d4ad60ec19b2e610ab0

SHA1
93955b939bd71dd2f951cccfbd4ba545d81c46e6

SHA256
1f37d9e6570fb0a2009eecc569f3fe2de319bdbab1b047efad8d41308a46e67f

SHA512
2199c42833377decb18c3f48371997073bae9d77e81d84abf2e76fa0f866214e08dbe4b81a8674b9de1d3544e34a289cd84738abe82d4a53f112c19242b6e2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ib-bclt.cmdline

Filesize
246B

MD5
c80f4c3d4fd1abfa2e5d46178b7ef4d6

SHA1
624e832eb64b1324cc6f9f6b02c6617b01748a68

SHA256
04d724904d6ed09aaf6cf49bc78d1c704862dc288d5786b6ac01c217d420f710

SHA512
5dd820cbf9cbdd7168d9b0b674f284c33b40398d54cc52e134bf97f43bff4909a9a907905dc6664535d9d82c8036effb3b3853d9a03cc1f105e35599508d5bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ib-bclt.dll

Filesize
6KB

MD5
892a5ab394f82e5b652e56d27529500f

SHA1
7094bb6bd505aeefeb79c7179fa9aff61f58fc12

SHA256
cb525204687c62418821341992bfb18bf6b5f062673ba3bfa0170f682fb39afe

SHA512
64050bbdab1b5a6a880b2468df5f44ea0c3d10c39149d38f0c3d0652290c96b1234ef62a66c3a39f1d23404559d0c74bceca27e19d189bee47a0cbc2181b85e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp

Filesize
1KB

MD5
069fc29d5343e27a1aefa385428175b0

SHA1
16fe2eaaed236335031fc49ac8a1385f62fe87f6

SHA256
934ae6a1a4745c2d6225b028ad3935a0213d17747cc6f026f748ea53da5f9746

SHA512
39b2a2892fca7ffb340347b75cb1b7c305dd4f64cf9143ea347601c78adcb26cc3f9615b876653dd71b10dd6fd37a2e319326ecc354d9939f32c565e0122e7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC9CE363E8449FE8DF6967BD1F2264.TMP

Filesize
652B

MD5
b479688fe74627b8d439ae9441c9ef91

SHA1
5e1853904c36de50fa7fc699d2dbfb91b7e47e84

SHA256
df99b58b01714827b56e7646da9b2e818ddddeab2a30a4e04817cbeab42a7a9f

SHA512
237f02fe1844fcebd3951d5cdadf1e602bde8ea624c6ea2d650092c1371f2695b1c887ba34ca358cf5fe419832ec43f49a423d00f32ce375490f5d9b3318bc37

Download Submit
memory/4844-7-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4844-16-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/5076-0-0x0000000074E42000-0x0000000074E43000-memory.dmp

Filesize
4KB

Download
memory/5076-1-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/5076-2-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/5076-21-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download