9bc8e6571e16becf698bef81c9479d65d6d80fa5f11239915517292cb9955737

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec19684b75218ccc9705b6754c565cd1_JaffaCakes118.exe
Size

15KB
MD5

ec19684b75218ccc9705b6754c565cd1
SHA1

895ee4ae8d815c1c8259b54499b4119a5b78aabb
SHA256

9bc8e6571e16becf698bef81c9479d65d6d80fa5f11239915517292cb9955737
SHA512

caaae99b90e6efa42678b4908bc79df9265230395eb90d582c8c9af2ba5ff4108e8888349c192ff1b19cbf8c319dd3ad3ac2a7dc4b20dadd127f08abf3807e26
SSDEEP

384:k4f9+Lk/x6gNwUmhaxkjAwqKp3WKLdSKQJ:T0vg9xkcRKZWK8

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec19684b75218ccc9705b6754c565cd1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1320	ec19684b75218ccc9705b6754c565cd1_JaffaCakes118.exe
1320	ec19684b75218ccc9705b6754c565cd1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	ec19684b75218ccc9705b6754c565cd1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 3600	1320	ec19684b75218ccc9705b6754c565cd1_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\ec19684b75218ccc9705b6754c565cd1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ec19684b75218ccc9705b6754c565cd1_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\showthread[1].htm

Filesize
18KB

MD5
a6f3738fde0d5c436e1bee1e836d987f

SHA1
8c7ebd76b7ed321fc6647b963fb367c843dae164

SHA256
d66820013cebfb7dbbbb412e02b61ed9e268657e0968c04507874217cf4b56cf

SHA512
fa082dfc128f778dbd2045fec49f7736101b433d83178fd68bb0ab96427d35b44e129e28ef2bb493a74fa6999a18ee2b4308848eb4d7c14efa844373edfc1e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#BA2C.tmp

Filesize
18KB

MD5
93af2896574b14b474256aa5e0b18108

SHA1
49700a65dca9564bbb6356db1b9c9fd1ca2095d1

SHA256
14c8485813911c0df470753693932da83fc001d5b33b14ae2c1e4146c9680cf6

SHA512
547ae25e2e8839f477516d4837db04465f50b8c7acb828df0b73c1a5450018ea2182100b0db0f81ecf5987928c692a5babce80d819178eb2a578e5fd68964b9a

Download Submit
memory/1320-0-0x0000000002160000-0x0000000002162000-memory.dmp

Filesize
8KB

Download
memory/1320-13-0x0000000002160000-0x0000000002162000-memory.dmp

Filesize
8KB

Download