066baa2c21f69128f80d5b6eac2dce4579259451bc5ec1ce072fce7636cb0952

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe
Size

2.4MB
MD5

ea8f6dfab4cf68f39195d6f4bab22a5a
SHA1

9c44148101f0371e6344aae44c6fa8aadd3e719b
SHA256

066baa2c21f69128f80d5b6eac2dce4579259451bc5ec1ce072fce7636cb0952
SHA512

bb571af70d8edad9d76510d42275b51b3551ca915b5276d5a7a9a2052680f153ba952d332daa251a6d286b6c0f7ec21834ec6bd8ddbb472c1f1091fee007b879
SSDEEP

49152:GDF481x40utyJooh/My16Erw87oM/1j/hx44JJR5cdpCForAcz4clG:GbdutyT/My1Vrw8V/Vhx44TCCFobVo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3476	Detect64.exe

Loads dropped DLL 6 IoCs

pid	Process
2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe
2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe
2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe
2820	RunDll32.exe
2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe
2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Detect64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe
2820	RunDll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3476	2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe	84
PID 2188 wrote to memory of 3476	2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe	84
PID 2188 wrote to memory of 3476	2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe	84
PID 2188 wrote to memory of 2820	2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe	85
PID 2188 wrote to memory of 2820	2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe	85
PID 2188 wrote to memory of 2820	2188	ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea8f6dfab4cf68f39195d6f4bab22a5a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\Detect64.exe
  "C:\Users\Admin\AppData\Local\Temp\Detect64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3476
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsgBC1D.tmp\OCSetupHlp.dll",_OCPRD203RunOpenCandyDLL@16 2188
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Detect64.exe

Filesize
109KB

MD5
ad61719b8b04a6073fee4ff6ee827908

SHA1
ba7e46b9cc6bc098f3544841b1690f28740c2810

SHA256
9f65493fe1416e64614a6bd9f92e2e7f0269aa83feb1c595df8f7123e476edee

SHA512
be6e7cd447538b031d0467e4b939222972692910a7e3580b9a0b498f2ec3d98845415732d733ea85e7acafa252662216a7bf7bb60a25e8d6efed36e14954361c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC1D.tmp\AdvSplash.dll

Filesize
6KB

MD5
13cc92f90a299f5b2b2f795d0d2e47dc

SHA1
aa69ead8520876d232c6ed96021a4825e79f542f

SHA256
eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb

SHA512
ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC1D.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC1D.tmp\OCSetupHlp.dll

Filesize
754KB

MD5
06961f9fafb5237ddda9b36da7dc59fc

SHA1
a3410ce23efeba446cb50babd82bfbf568792bf0

SHA256
ba4490e75368696e526396266bc12e00f1b93ded3c7294d4e60f9249e315f03d

SHA512
f746807170f4c15d419f554751c9fa03df6ff9171cd549cc1b6f8d759f20a5a31ca2f33a9026f0e2e695bd3affb47ddd672bb7415a32bb943d56b742cbc1e2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC1D.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC1D.tmp\ioSpecial.ini

Filesize
710B

MD5
31f46f69c458485c2186d64736126c01

SHA1
f7c378efa91a07b9e10d207b5ef73744da843a1f

SHA256
ae0d563ed767ff296b2e5389f8894350f2119803a013e85bab983d90b4b3c61c

SHA512
573d1858b336e1b5324c6b1b608e1735751fbcc54614cfeed0ea28d3c8b8717360e598aa2f642bf330529c99f7cc929ffb88f2a594341449491883d05c7300c1

Download Submit
memory/2820-27-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2820-106-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3476-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download