12819007b41e5de29e7878705285645c19c0c716d972cc2c1d1ebbf5a7658835

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df33dded02e8599cd9a9580896c71094_JaffaCakes118.exe
Size

124KB
MD5

df33dded02e8599cd9a9580896c71094
SHA1

7828521cd32518b40cf7d941211c698a83cf9d6b
SHA256

12819007b41e5de29e7878705285645c19c0c716d972cc2c1d1ebbf5a7658835
SHA512

6914b1fbf6dbfe6c0f2db2c168fe59e220e22c9d74a944217e6dabc8d88f5697e9b95c65022a0f37a1bf987b1e415b9b8755ee3ed981d9a7aae66142f2b7de45
SSDEEP

3072:99oZKQrrUDxq3Lp/CNDs7I7C7O8+cdsNVwueV1s+U9UG:DqpkF8h/+cdsNVwu+1G

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df33dded02e8599cd9a9580896c71094_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3476	1584	df33dded02e8599cd9a9580896c71094_JaffaCakes118.exe	91
PID 1584 wrote to memory of 3476	1584	df33dded02e8599cd9a9580896c71094_JaffaCakes118.exe	91
PID 1584 wrote to memory of 3476	1584	df33dded02e8599cd9a9580896c71094_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\df33dded02e8599cd9a9580896c71094_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df33dded02e8599cd9a9580896c71094_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\df33dded02e8599cd9a9580896c71094_JaffaCakes118.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\df33dded02e8599cd9a9580896c71094_JaffaCakes118.bat

Filesize
296B

MD5
79ab394f8b2f2fde35f2f96ef2cb3477

SHA1
90d8263f5502c29a862cac914efe682bf4147271

SHA256
4205d7837d6e8d28961495e41ac270f342894e8290b67c24c3d8f016c306ee23

SHA512
7669ec3d88a17a023ffc5518281e8c060aee45805daf4d922aef3994a88585b37139f883169dd793640c2582338f68a38f1a0ee1f7f69a95f8c77b6f4d714100

Download Submit
memory/1584-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download