5fd8dde032555c51bc3b004827b3649985d5054629f58feb6eaa23ecb2fdfaaa

Analysis

max time kernel
90s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eab1ce186838ed5307b66edea2408a6c_JaffaCakes118.exe
Size

176KB
MD5

eab1ce186838ed5307b66edea2408a6c
SHA1

34642bef3ab1dc959e78f7a5e9e20195e1c36590
SHA256

5fd8dde032555c51bc3b004827b3649985d5054629f58feb6eaa23ecb2fdfaaa
SHA512

e34baa66d97fbc654cb79c394f162b607f955665d44f0acb6e3d685bf401a546d8a7049d10a85339620ff7971ac62cb291b406c94df680b6daa3f8399c23c257
SSDEEP

3072:gQ8Ioy6rIHuCPi19X9SOlFXEhpxgFfuapPh+FsdYetaK:W7/gi19NxFXNFfuapPh+sdY1K

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
framework.pcsoft.fr
Port:
21
Username:
framework
Password:
framework

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	eab1ce186838ed5307b66edea2408a6c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	InstallFramework.exe

Loads dropped DLL 1 IoCs

pid	Process
3240	eab1ce186838ed5307b66edea2408a6c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab1ce186838ed5307b66edea2408a6c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallFramework.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2984	3240	eab1ce186838ed5307b66edea2408a6c_JaffaCakes118.exe	89
PID 3240 wrote to memory of 2984	3240	eab1ce186838ed5307b66edea2408a6c_JaffaCakes118.exe	89
PID 3240 wrote to memory of 2984	3240	eab1ce186838ed5307b66edea2408a6c_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\eab1ce186838ed5307b66edea2408a6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eab1ce186838ed5307b66edea2408a6c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
12.8MB

MD5
3e26584b4947736a729628057271ec4b

SHA1
9ebcd390dc558d41faf17e59da354c6927f0eb04

SHA256
f4865880260266b16793c653295081f157f7fa75262768b1b1050d643390c57c

SHA512
348d97f34568e92a39a41cd01aaae09e3bdd813452528f1a6f2952f675ff0ca756f171b4060c1676fe6a6d2b78a90736ed7eb882751f1c453f18619b3f14a898

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120COM.DLL

Filesize
880KB

MD5
6dbf8d8bdda8abefeacfe861b8d63ab6

SHA1
5e090d1e051fb7aa43961582296292f897176ac4

SHA256
7ef17e1abdc04dcb7194d7e92b002102740dd8fdd693f745ab5b3c8238112b86

SHA512
b6cc674ada1c7e11f5a269e2e538265d229f66c8649b7e41c79c93351ff9cafa2f1caef7933c7c1eb748dc461c468dc3eb6bea2093df2aaa2ed7bddfe6551c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120CPL.DLL

Filesize
388KB

MD5
dc9c87e65d30950f65017460415bc459

SHA1
69c3dd56b272e16d979bc29ec18156788d400ddf

SHA256
d6dff2dedb92bd644b74234936be60c65ee47eb4c836092ab182dcbaa80bd890

SHA512
d07d7da0a545db9ec296fee77e3d7dca6ff07116235e3783e7afc2e30c69f27359e75eff4ade50c40c2ccfb4cbe6aa6bc1019d5e4991790cbd315e916f314862

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120ETAT.DLL

Filesize
368KB

MD5
2ceac92735562e5755ccf5763b428df8

SHA1
c058d54552c653b9c93c1604c3095ce032b15b8e

SHA256
62c865676bc1cd57585aa603c1411050505f88b6ae4e77e7ef2e4eb3e7e34e3c

SHA512
9bf650e1ccec14c6639027f9be9ff16877c0987ace57b15c1c4c79a7c8b467de47ebc16a5aa3e71bcb7473b261433fba5bbe7539086826c4bc1bb0ad3fd48723

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120GRF.DLL

Filesize
243KB

MD5
71dfdcc33acacd5ee41204dfd1334b29

SHA1
b955ee8af6cb33f36e7b146eeb18c0539befc95a

SHA256
44f81399db59f7cdf18004570b8a15d89070964c0ded5d1d0b42845c9797da1e

SHA512
132c1397e8342076e6a8fd33d3d5c28bad40d67865f5b93b057346932671bd01808af51079c4b03f3942369709d8ce4f2539d64ec68350a481275d3b94823f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120HF.DLL

Filesize
2.2MB

MD5
3c9b94f38948fad3d7a6df0994054026

SHA1
44ccdfa36414df15aeaea77aea87708da1516d85

SHA256
83d8c793353b1b51d55622cffe88ba400a2b2fdeff3dd8f389812cef3828693c

SHA512
dcd8861a5bbdcf8c9a0859d85752f32b73248ae6e557a830431d87fada0137891e60ece761987604c41ba86cfa0f8538651812501cb69243b15e4324c2d132dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120HTML.DLL

Filesize
556KB

MD5
19de3a0a0e0d20c93b55ab1677c62a79

SHA1
8b337fddb6d8e555286c3c53087a0af370c9ef38

SHA256
1008684a8a34209b0b664e54dda6a585a278cb381a417b25363c5f17678db0b8

SHA512
340963eb58de6a1463fc08e03a63b0e8f5d66b923aa5657315a9df3a6da499553d383f63e6def85a08d2cb2fb88dd39c7f40b5ed83fc20eb006bd2c2b8633153

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120IMG.DLL

Filesize
660KB

MD5
0a02a73aad6dff9da26c3d934feb3212

SHA1
922748e6a594ce2f7f9c45d693444121c9fe2a76

SHA256
d804a4d8c25783d44acefac38224c2b06ffe022189f62c727c30466c7bcc0df8

SHA512
4b95f0d0c2e5bb0a5bc3890dca646ae283b2be13c025127ad56e5cf71df947fe5a93d9463c9fd653f846de69e55a0921447053b3499080a69a80bed95167e177

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120MAT.DLL

Filesize
96KB

MD5
14683dde70b6078ef9fac02282bc4980

SHA1
e98e342541f19f798388e509994309d251c63f27

SHA256
6d8b9f37faaf2efb238be8c0a12d3ea52933efca8b7cb07b0c0c09db72c61e00

SHA512
f89c738256648786c1e6838e98f25b8bd68900c919fc81c603c1dbcc057f1488ea09c1081758bdf94f76a8e24b28977cdd61a92bc5edf9a5b74dfba047081d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120OBJ.DLL

Filesize
2.4MB

MD5
882bba7149d3fd2c44d47e7ca54570c4

SHA1
f4c8d1b7d93207f31570f66affa958b78474d5b9

SHA256
2cf71398291dccd79eef86a234b3644060adbf9477752c28358ee16558d75046

SHA512
b22d62de3e429c22e7fa26dc8b2e59ac6e028843264328b475459efde949395f5beab895772f167612483351773aa5a72a24fa67d30dffabfe714e23d32c8d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120OLE.DLL

Filesize
108KB

MD5
f337a6b5a20a7d223a2ffa71bc57ba40

SHA1
6075d1ce252a95ed71a90118c2d47d1d2ff50121

SHA256
702b4727e24e5b0df015f631f2aa4a85850dc4ba1561172c6e41dc75cadcd919

SHA512
1740c3120c6ed5cced4d0da6faa748affa66a6fbccebd63f60bca43acd4db84e59aea859c6ee1f028c18bef916e7d4a05e0a3d2c26956b026aba91abd8e34ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120PDF.DLL

Filesize
512KB

MD5
263ff2fbf90c5aa871804ac8e3b4ac97

SHA1
0d1c0dbb1f52c68a6daf0e6dfc75bbcf853c90e2

SHA256
be9049d18fc76999f626955bd67271977324c6b5a99c35f7b72305f69816f1a6

SHA512
2ddb27bdd10134740578a82c13d4db6baef987d1543bd59929488c17382929e2b50f231f4eea0bcf9781192d306ef51eb96c905f3f7f9a4040ac32d3714216cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120PRN.DLL

Filesize
688KB

MD5
68c6824d2536ad4afc4ffd7f840757e0

SHA1
b5630f9f77456469a6ac810a0bbc1d5b3794b56d

SHA256
2040ef678c6cfc803038a309298255951bfc6e4ae88f9d579b9431fdd437e945

SHA512
a3570aa3b4cba03217ad560019a7ac534d5ec20472098e227c0160222963919ba5ef42fa570c9aee7fd210e08f9468ef57ac0a821a95ff1a0f12d1f4fd9dda32

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120RTF.DLL

Filesize
592KB

MD5
86fe91f30651e075ad554fc8e8305643

SHA1
b51534b788da6c74b08f7e88b47b041412c10cb9

SHA256
f8969793b235b7f830375e8c1ca365295e25f00f94d51d3fbcba5c049f4107c1

SHA512
a886d31cf050e8f7859935288f319a92850183cb03ccadc85b112c8e68947ec16b6706b14b8473cd6fc83cd1939914e59fa63b2f3633903b41ff95b787940d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120SQL.DLL

Filesize
512KB

MD5
82220701de72b0e38150cc197777ff6b

SHA1
ecadd8b9ae616d86587bd1e80cd3e341c11656ac

SHA256
5e0de5946104519c600f68d17c34624c9b87d5ccac6f22bb017c641fdac59d39

SHA512
6d84d9833f174871fe5cf0b6d9b7463bd2d64167cebabd01d0d391e74a9ae395c1ccb04800483bcff2d3b238f0c5187b6d5cf3e2892e6513632c93f5593e1a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120STD.DLL

Filesize
485KB

MD5
d890453e714c5910190bed52751968d6

SHA1
1f52cc8debde63c4e08932b3ad5aff670fcbad24

SHA256
a811aa2194f5402c30a7ff637e590b1d72739fb833117669df55c69fd061b65a

SHA512
73de1b6af7f8f751bf66bee052a2884edb8932f7368da5e14686e3759a548ccaec83decba88ff987b381bcb5c15c818c8376d14154fe24a385037f73848d86d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120VM.DLL

Filesize
1.7MB

MD5
ed2c1180fb220089372d64d69ca02269

SHA1
0fcc13c3dadfb6a70eb89ebe8c8035b69f3f0f10

SHA256
5d2d8b2a2fe4aea359039007b0a983e4de004b76beda035f89152c54f700f970

SHA512
ed598186738a6ecd9c0fde308c3d280bf78418e75b7f537ca934728b22f0f07f06bb7dff8a27783a89e6cd6e8f6146276f61f48539ebd44693a46616b42f6aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120XLS.DLL

Filesize
252KB

MD5
feea24e3436cbae0b10481d881b9faab

SHA1
15c6b235268c643fbff806a866e40343cb2d1891

SHA256
6541dd50e6e147c59cf8de0918b39bc11e995df3a72496105a8518029b5d4d31

SHA512
d3ba808ab1d9d7b18eca5bed087c6cc45931201c86b8d0be01ab281b7c8bc8dda835f8c9364ab8af8c4e61c8660b1bf8421619c7d6f8d56654bf264be0d7dd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD120XML.DLL

Filesize
464KB

MD5
2964b099f42237c2b4b189ea786462e1

SHA1
628ec0227029bb6435622656f42e103c4f2494fb

SHA256
eb16403fb78f8ea508f7830c2ea74d0faa45ad6558d61581970c3bcb6d7941df

SHA512
ff0f9f005c22add86e3dc89ff0658cc99fa845c2969bca72e3182e7e1e28d87ab0a9ea9cc17ca9e749be382a4df2aab136a97ec1d5b720185bf558e1a6602b56

Download Submit