22d64e66a5058f4d16c651d3ecf6cfed6a8e078c0c5a20dd417ba5600368cf67

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db3f465c6da903e857f787ccb0b07194_JaffaCakes118.dll
Size

28KB
MD5

db3f465c6da903e857f787ccb0b07194
SHA1

78b7c09954b2e47cf6586bd293062d2a5b84953f
SHA256

22d64e66a5058f4d16c651d3ecf6cfed6a8e078c0c5a20dd417ba5600368cf67
SHA512

624429680f1cb434c12927f6dedeb837708d9f47b595a601a86a8462511c0262501c5a6027a77f9ff35ea12410b36bd57cf9072780be6c6f8f92700186d219d7
SSDEEP

768:EM8FbwaVoUcDcFR6n4vr3zu0uia9loOf6:ETbRVonnCrvyf

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2172	2124	rundll32.exe	30
PID 2124 wrote to memory of 2172	2124	rundll32.exe	30
PID 2124 wrote to memory of 2172	2124	rundll32.exe	30
PID 2124 wrote to memory of 2172	2124	rundll32.exe	30
PID 2124 wrote to memory of 2172	2124	rundll32.exe	30
PID 2124 wrote to memory of 2172	2124	rundll32.exe	30
PID 2124 wrote to memory of 2172	2124	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db3f465c6da903e857f787ccb0b07194_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\db3f465c6da903e857f787ccb0b07194_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hsyhdf16.ini

Filesize
14B

MD5
95f3ef681f0ef4ed85e36ac92de0244e

SHA1
fb9ed20a0761e9ca1c3100078b3f5ec16efb2e03

SHA256
390e65802e705fe8928f41b135234653c86a3871bd8a3ec9c666fb33ccd9b468

SHA512
1c49bc25196f5486d35f4e359b041b4ce5e68dbfaddb605d6e79759d498a1dd3e9a38d894e5abdfd90262f6bdb4c9428497e049e24505fa35a2c5353a2166c58

Download Submit
memory/2172-0-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/2172-352-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/2172-646-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/2172-972-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/2172-1953-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/2172-2279-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/2172-2605-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download