1151ee875282f7d8b10efceb057cf61f1d2da7e0c641e2abeed84594769ee75a

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e89e23925742eaacc706435af0f57667_JaffaCakes118.exe
Size

709KB
MD5

e89e23925742eaacc706435af0f57667
SHA1

95c55e1fdd896c9d308622c07661f9cf3c4f48de
SHA256

1151ee875282f7d8b10efceb057cf61f1d2da7e0c641e2abeed84594769ee75a
SHA512

983a4fbc014ef8dbc2811764563d3017deed3d99e7cc2c31f6ac036c298977f330c5f75e052ee68a9adbbe037986220543fb9a5f52096b3b81d089b0f9688f0e
SSDEEP

12288:cIybkLlzbPalCqX/wHRmSOv4kKJTJaor2teoMPaJfRu/Y+L9xzr+zfSFh00:cItYcNiZKJTXrMePaJfRkY2toGX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5052	nfviepplrs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
424	5052	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e89e23925742eaacc706435af0f57667_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5052	nfviepplrs.exe
5052	nfviepplrs.exe
5052	nfviepplrs.exe
5052	nfviepplrs.exe
5052	nfviepplrs.exe
5052	nfviepplrs.exe
5052	nfviepplrs.exe
5052	nfviepplrs.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 5052	2920	e89e23925742eaacc706435af0f57667_JaffaCakes118.exe	82
PID 2920 wrote to memory of 5052	2920	e89e23925742eaacc706435af0f57667_JaffaCakes118.exe	82
PID 2920 wrote to memory of 5052	2920	e89e23925742eaacc706435af0f57667_JaffaCakes118.exe	82
PID 5052 wrote to memory of 2564	5052	nfviepplrs.exe	83
PID 5052 wrote to memory of 2564	5052	nfviepplrs.exe	83
PID 5052 wrote to memory of 2564	5052	nfviepplrs.exe	83

C:\Users\Admin\AppData\Local\Temp\e89e23925742eaacc706435af0f57667_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e89e23925742eaacc706435af0f57667_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
  C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
    C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 836
    3⤵
    - Program crash
    PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5052 -ip 5052
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nla\epzgrd.oj

Filesize
285KB

MD5
863b66523fbc4450ae132faea9e0686f

SHA1
89a08cfc68787638158bb65d3f6c36cf0a624d4c

SHA256
bda4b5788ce715a548690e2ff258e4b29c2b36375eef8a673800e01d83345c57

SHA512
40c5582f1c15393a1fce6511a9193167e928ad336090fabe4a10295eb2a790b43a5d9cf92da113ce957926576210566fe842ac5fc81f7de08f5ad6c491cd6f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei

Filesize
252KB

MD5
e49b470009e7e7c86fb1714e2b9a918e

SHA1
a8a4fe82175f1351d226a874361d084d67198aa2

SHA256
25c160905644fb9705cd20e27f455968e70893089bd5fdb7ac8f4d6d4b6f0408

SHA512
4fa35c615673bc00035a7a1b11e497696e35ee996474d712a2c01f52569793082f980049c3eb1cbd5f94e32c6fa3b5058e53cc9bd153e6883af6b1c3e079b103

Download Submit
memory/5052-6-0x0000000000B10000-0x0000000000B12000-memory.dmp

Filesize
8KB

Download