5979c8cc73a843d076731d60e61b0856e32fb9620d922f1fe8730e2dd875b17a

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Size

2.9MB
MD5

eac4cda1cc87369a2e789516b46591ab
SHA1

fd532c0b01c48397297cda785cd439a3b74c71c6
SHA256

5979c8cc73a843d076731d60e61b0856e32fb9620d922f1fe8730e2dd875b17a
SHA512

713a6b5e3adb695350a6538d8d48a538d3406fa9c64c4a2753e17b6ebff1f378bf565e2a82de85e979c3626bbbc7231859ab92292c06a16428c6df2f989961c9
SSDEEP

49152:F2xt/FubbLDcrzL0KdPsBNp4j11b8ffPqlk:FuabzqzLnkBNWT8f

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.EAPProtocol\Clsid	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ProgID	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG\CLSID\{6f61f716-6880-46a2-b258-41a567e9483a}	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG\CLSID	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ = "Embedded Async Pluggable Protocol"	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.EAPProtocol	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.EAPProtocol\ = "Embedded Async Pluggable Protocol"	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.EAPProtocol\Clsid\ = "{5902C4EB-8397-4FF6-B5D8-741A51D26543}"	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe"	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ProgID\ = "eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.EAPProtocol"	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\LocalServer32	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2600	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
2600	eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac4cda1cc87369a2e789516b46591ab_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2600-0-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2600-5-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download