c5fa001985e9b7edaa623a1b3d76ef7febf0630ef35a61e7793886b509e212bf

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee7a0d2340f0f27f1c58263fb4f7e3b6_JaffaCakes118.exe
Size

172KB
MD5

ee7a0d2340f0f27f1c58263fb4f7e3b6
SHA1

fab2a4827b5537ebce1e0ebdfd43577d72eef10f
SHA256

c5fa001985e9b7edaa623a1b3d76ef7febf0630ef35a61e7793886b509e212bf
SHA512

7ac45688cb129fcc4604003a12e61a1c333dc9ed64e1d28d9659596c50d1a10c7a28d1ccce6dbad2624e0e7e695fb4f7975173aa9f3d41ce47c193d50fa12595
SSDEEP

3072:tbUxRas0poVY24brfABzPny/J+9St1K8gRWIxch0MutWvAOL8GbNcoNhylyGxMph:dUR0pJ2bPnuc1UieEWvAOIcSo7pEKh

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fvtbtb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sgrco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee7a0d2340f0f27f1c58263fb4f7e3b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojvkfvwe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfrduh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cemecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iidymkeoexsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xboaowjytrif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sesncu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snsjef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paokovutlyk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikeobhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eddkyv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtnlmeot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chbincokwygf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lzwtlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yfqqhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndoiycj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cktjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iqir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nulayjrbyx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waenmwj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmakfb.exe

Suspicious behavior: RenamesItself 22 IoCs

pid	Process
5044	ee7a0d2340f0f27f1c58263fb4f7e3b6_JaffaCakes118.exe
4024	iqir.exe
4252	snsjef.exe
4276	paokovutlyk.exe
2976	ojvkfvwe.exe
4316	nulayjrbyx.exe
3632	ikeobhp.exe
4460	eddkyv.exe
3628	iidymkeoexsk.exe
3696	gtnlmeot.exe
4384	dfrduh.exe
1000	waenmwj.exe
4552	xboaowjytrif.exe
912	chbincokwygf.exe
372	msmakfb.exe
4912	sesncu.exe
1808	lzwtlj.exe
5048	cemecd.exe
396	ndoiycj.exe
4200	yfqqhj.exe
2520	cktjv.exe
4392	fvtbtb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4024	5044	ee7a0d2340f0f27f1c58263fb4f7e3b6_JaffaCakes118.exe	86
PID 5044 wrote to memory of 4024	5044	ee7a0d2340f0f27f1c58263fb4f7e3b6_JaffaCakes118.exe	86
PID 5044 wrote to memory of 4024	5044	ee7a0d2340f0f27f1c58263fb4f7e3b6_JaffaCakes118.exe	86
PID 4024 wrote to memory of 4252	4024	iqir.exe	90
PID 4024 wrote to memory of 4252	4024	iqir.exe	90
PID 4024 wrote to memory of 4252	4024	iqir.exe	90
PID 4252 wrote to memory of 4276	4252	snsjef.exe	91
PID 4252 wrote to memory of 4276	4252	snsjef.exe	91
PID 4252 wrote to memory of 4276	4252	snsjef.exe	91
PID 4276 wrote to memory of 2976	4276	paokovutlyk.exe	92
PID 4276 wrote to memory of 2976	4276	paokovutlyk.exe	92
PID 4276 wrote to memory of 2976	4276	paokovutlyk.exe	92
PID 2976 wrote to memory of 4316	2976	ojvkfvwe.exe	95
PID 2976 wrote to memory of 4316	2976	ojvkfvwe.exe	95
PID 2976 wrote to memory of 4316	2976	ojvkfvwe.exe	95
PID 4316 wrote to memory of 3632	4316	nulayjrbyx.exe	96
PID 4316 wrote to memory of 3632	4316	nulayjrbyx.exe	96
PID 4316 wrote to memory of 3632	4316	nulayjrbyx.exe	96
PID 3632 wrote to memory of 4460	3632	ikeobhp.exe	97
PID 3632 wrote to memory of 4460	3632	ikeobhp.exe	97
PID 3632 wrote to memory of 4460	3632	ikeobhp.exe	97
PID 4460 wrote to memory of 3628	4460	eddkyv.exe	98
PID 4460 wrote to memory of 3628	4460	eddkyv.exe	98
PID 4460 wrote to memory of 3628	4460	eddkyv.exe	98
PID 3628 wrote to memory of 3696	3628	iidymkeoexsk.exe	99
PID 3628 wrote to memory of 3696	3628	iidymkeoexsk.exe	99
PID 3628 wrote to memory of 3696	3628	iidymkeoexsk.exe	99
PID 3696 wrote to memory of 4384	3696	gtnlmeot.exe	100
PID 3696 wrote to memory of 4384	3696	gtnlmeot.exe	100
PID 3696 wrote to memory of 4384	3696	gtnlmeot.exe	100
PID 4384 wrote to memory of 1000	4384	dfrduh.exe	101
PID 4384 wrote to memory of 1000	4384	dfrduh.exe	101
PID 4384 wrote to memory of 1000	4384	dfrduh.exe	101
PID 1000 wrote to memory of 4552	1000	waenmwj.exe	102
PID 1000 wrote to memory of 4552	1000	waenmwj.exe	102
PID 1000 wrote to memory of 4552	1000	waenmwj.exe	102
PID 4552 wrote to memory of 912	4552	xboaowjytrif.exe	103
PID 4552 wrote to memory of 912	4552	xboaowjytrif.exe	103
PID 4552 wrote to memory of 912	4552	xboaowjytrif.exe	103
PID 912 wrote to memory of 372	912	chbincokwygf.exe	104
PID 912 wrote to memory of 372	912	chbincokwygf.exe	104
PID 912 wrote to memory of 372	912	chbincokwygf.exe	104
PID 372 wrote to memory of 4912	372	msmakfb.exe	105
PID 372 wrote to memory of 4912	372	msmakfb.exe	105
PID 372 wrote to memory of 4912	372	msmakfb.exe	105
PID 4912 wrote to memory of 1808	4912	sesncu.exe	106
PID 4912 wrote to memory of 1808	4912	sesncu.exe	106
PID 4912 wrote to memory of 1808	4912	sesncu.exe	106
PID 1808 wrote to memory of 5048	1808	lzwtlj.exe	107
PID 1808 wrote to memory of 5048	1808	lzwtlj.exe	107
PID 1808 wrote to memory of 5048	1808	lzwtlj.exe	107
PID 5048 wrote to memory of 396	5048	cemecd.exe	108
PID 5048 wrote to memory of 396	5048	cemecd.exe	108
PID 5048 wrote to memory of 396	5048	cemecd.exe	108
PID 396 wrote to memory of 4200	396	ndoiycj.exe	109
PID 396 wrote to memory of 4200	396	ndoiycj.exe	109
PID 396 wrote to memory of 4200	396	ndoiycj.exe	109
PID 4200 wrote to memory of 2520	4200	yfqqhj.exe	110
PID 4200 wrote to memory of 2520	4200	yfqqhj.exe	110
PID 4200 wrote to memory of 2520	4200	yfqqhj.exe	110
PID 2520 wrote to memory of 4392	2520	cktjv.exe	111
PID 2520 wrote to memory of 4392	2520	cktjv.exe	111
PID 2520 wrote to memory of 4392	2520	cktjv.exe	111
PID 4392 wrote to memory of 2476	4392	fvtbtb.exe	112

C:\Users\Admin\AppData\Local\Temp\ee7a0d2340f0f27f1c58263fb4f7e3b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee7a0d2340f0f27f1c58263fb4f7e3b6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\iqir.exe
  C:\Windows\system32\iqir.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\snsjef.exe
    C:\Windows\system32\snsjef.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\paokovutlyk.exe
      C:\Windows\system32\paokovutlyk.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: RenamesItself
      Suspicious use of WriteProcessMemory
      PID:4276
    - - C:\Windows\SysWOW64\ojvkfvwe.exe
        
        C:\Windows\system32\ojvkfvwe.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\nulayjrbyx.exe
        
        C:\Windows\system32\nulayjrbyx.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\ikeobhp.exe
        
        C:\Windows\system32\ikeobhp.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\eddkyv.exe
        
        C:\Windows\system32\eddkyv.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\iidymkeoexsk.exe
        
        C:\Windows\system32\iidymkeoexsk.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\gtnlmeot.exe
        
        C:\Windows\system32\gtnlmeot.exe
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\dfrduh.exe
        
        C:\Windows\system32\dfrduh.exe
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\waenmwj.exe
        
        C:\Windows\system32\waenmwj.exe
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\xboaowjytrif.exe
        
        C:\Windows\system32\xboaowjytrif.exe
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\chbincokwygf.exe
        
        C:\Windows\system32\chbincokwygf.exe
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\msmakfb.exe
        
        C:\Windows\system32\msmakfb.exe
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\sesncu.exe
        
        C:\Windows\system32\sesncu.exe
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\lzwtlj.exe
        
        C:\Windows\system32\lzwtlj.exe
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\cemecd.exe
        
        C:\Windows\system32\cemecd.exe
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\ndoiycj.exe
        
        C:\Windows\system32\ndoiycj.exe
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\yfqqhj.exe
        
        C:\Windows\system32\yfqqhj.exe
        20⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\cktjv.exe
        
        C:\Windows\system32\cktjv.exe
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\fvtbtb.exe
        
        C:\Windows\system32\fvtbtb.exe
        22⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\sgrco.exe
        
        C:\Windows\system32\sgrco.exe
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/396-66-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/912-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1000-52-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1808-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2520-70-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2976-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3628-46-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3632-42-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3696-48-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4024-13-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/4024-30-0x0000000000690000-0x00000000006AE000-memory.dmp

Filesize
120KB

Download
memory/4024-14-0x0000000003940000-0x0000000003941000-memory.dmp

Filesize
4KB

Download
memory/4024-12-0x0000000003980000-0x0000000003981000-memory.dmp

Filesize
4KB

Download
memory/4024-11-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/4024-10-0x0000000000690000-0x00000000006AE000-memory.dmp

Filesize
120KB

Download
memory/4024-17-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4024-16-0x0000000003A60000-0x0000000003A61000-memory.dmp

Filesize
4KB

Download
memory/4024-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4024-15-0x00000000039C0000-0x00000000039C1000-memory.dmp

Filesize
4KB

Download
memory/4200-68-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4252-34-0x0000000000590000-0x00000000005AE000-memory.dmp

Filesize
120KB

Download
memory/4252-22-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/4252-28-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/4252-26-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/4252-25-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/4252-23-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/4252-24-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/4252-21-0x0000000000590000-0x00000000005AE000-memory.dmp

Filesize
120KB

Download
memory/4252-31-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4252-27-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/4276-32-0x0000000000590000-0x00000000005AE000-memory.dmp

Filesize
120KB

Download
memory/4276-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4276-37-0x0000000000590000-0x00000000005AE000-memory.dmp

Filesize
120KB

Download
memory/4316-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4384-50-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4392-72-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4460-44-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4552-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4912-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5044-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5044-6-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/5044-7-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/5044-5-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/5044-1-0x00000000006E0000-0x00000000006FE000-memory.dmp

Filesize
120KB

Download
memory/5044-8-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/5044-2-0x0000000003A60000-0x0000000003A61000-memory.dmp

Filesize
4KB

Download
memory/5044-3-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/5044-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5044-4-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

Filesize
4KB

Download
memory/5044-19-0x00000000006E0000-0x00000000006FE000-memory.dmp

Filesize
120KB

Download
memory/5048-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download