b274740c78ba54ad3f0ac1c313adffd67f2fac890abf0beac24dda5f7ee1389e

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac76e43292fe810dce48dcd9590abbb_JaffaCakes118.exe
Size

118KB
MD5

eac76e43292fe810dce48dcd9590abbb
SHA1

32421965aa0d771efbe34636ccab62e6c3073dda
SHA256

b274740c78ba54ad3f0ac1c313adffd67f2fac890abf0beac24dda5f7ee1389e
SHA512

2d9e31b5670e35e959191830552d60829e8927a1f6dd658e6e71fb76a2c48657f0fbdfc384b3be9f81a93d8eeb893230658dc89d40849545bb013179ed59f540
SSDEEP

3072:tTdJG2Gm3vy/Y89NQmeAwTbvO9K4bYemnAFck2tlZ9QQz8l+y9qfI5BGVx:tTdJAm3vy/Y89NQmeAwTbvO9K4bYemUZ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
280	winload.exe

Loads dropped DLL 2 IoCs

pid	Process
3048	eac76e43292fe810dce48dcd9590abbb_JaffaCakes118.exe
3048	eac76e43292fe810dce48dcd9590abbb_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac76e43292fe810dce48dcd9590abbb_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
280	winload.exe
280	winload.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 280	3048	eac76e43292fe810dce48dcd9590abbb_JaffaCakes118.exe	29
PID 3048 wrote to memory of 280	3048	eac76e43292fe810dce48dcd9590abbb_JaffaCakes118.exe	29
PID 3048 wrote to memory of 280	3048	eac76e43292fe810dce48dcd9590abbb_JaffaCakes118.exe	29
PID 3048 wrote to memory of 280	3048	eac76e43292fe810dce48dcd9590abbb_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\eac76e43292fe810dce48dcd9590abbb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac76e43292fe810dce48dcd9590abbb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\winload.exe
  winload.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\winload.exe

Filesize
68KB

MD5
5c9cbf73ab322b1535e3bb823b20ea6c

SHA1
0e7d85e3fcaaa9191b756d74e888ac3c7f4e6a04

SHA256
b107def9335be2eb0a1585d68d80fac2d224d8f4fc74d8a208fc16cf2efc40a8

SHA512
bdd051efbb5b4e9022826435484f3a7d93da5ca2a56332854810ffb4fdba589c07c8e04f10c104d23ee7cd02c6547300184093eb1af6c37ee8659653032cb78f

Download Submit
memory/3048-9-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download