e51e8a84f9802ba21ad5d3d6ff57c73c749e1d7277f9101a24fb669c652c336b

Analysis

max time kernel
94s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeed653ec3472cae25bbb80aedab4e4_JaffaCakes118.exe
Size

289KB
MD5

eeeed653ec3472cae25bbb80aedab4e4
SHA1

f3f8ce3404252bcbb0a72b790294372405110d2e
SHA256

e51e8a84f9802ba21ad5d3d6ff57c73c749e1d7277f9101a24fb669c652c336b
SHA512

a2501cca9eeff4b85aa2691ce1f075735374ba1c5e80fc6c20cd681a7dc23ca0b68de070a375df68894d7cf9a192bf9f74187d70f6000a2b0cb66ca10eb269a6
SSDEEP

6144:1zW/KFKexXI7tRrKwyjg2ruu6rFxpSDg9SCN6IXQ9:ltx4BRrKwyjg+uxYUAy6Ig9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2408	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeeed653ec3472cae25bbb80aedab4e4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 2408	3548	eeeed653ec3472cae25bbb80aedab4e4_JaffaCakes118.exe	82
PID 3548 wrote to memory of 2408	3548	eeeed653ec3472cae25bbb80aedab4e4_JaffaCakes118.exe	82
PID 3548 wrote to memory of 2408	3548	eeeed653ec3472cae25bbb80aedab4e4_JaffaCakes118.exe	82
PID 3548 wrote to memory of 2408	3548	eeeed653ec3472cae25bbb80aedab4e4_JaffaCakes118.exe	82
PID 3548 wrote to memory of 2408	3548	eeeed653ec3472cae25bbb80aedab4e4_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\eeeed653ec3472cae25bbb80aedab4e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeeed653ec3472cae25bbb80aedab4e4_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dif7BE7.tmp

Filesize
790B

MD5
469ba0c553742a3dd7f36b91eaf3d4a0

SHA1
3f90f43d32f904fe9ad6554fdc0b1d954db55b5d

SHA256
83da8f5703139524a6d9bdd7c9fa055caa4a13005c20f77745fe970e6472b635

SHA512
fd504972ce97cb1af9bc7b15e24f2101cacc0e6cca68f71b1d7c865a6d2c29445b088050a969af711732d05548c57b26d3d76f37a51176b1df7dfb0090d19cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\data.pck

Filesize
345KB

MD5
a9e61ee985ebf5db9351663ab8a1bfe4

SHA1
ac7cc946428329d1c6810de1c33d045329ee214e

SHA256
f9bbaa1aaa5108a676f2343934b3217882cf18a24b5673349df2e5a7e48bcdd8

SHA512
4645105769ed16eec35fb9b1f051c912280cdcf8ca8b42070bba396e76051371ee4f13f929030d66f17cfaeb6e3bd75f6e0f83dbf32aa3984d048d256bc42600

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\index.scr

Filesize
790B

MD5
e6991d2f93f04ae96dd8e1c5523f1f5b

SHA1
84d35f8ace6807279314739cce1f2ad4d8bb5933

SHA256
0bae868cb8e5a1fcec978d84baafb279e43e313f79fdf1b60b4131448278da68

SHA512
f7b61281d8b16292487ccea8a6cec2524d6386ff538ea2bfd70ac4f5458464ebe3d7b4529fd8e809f5865f1d686fe9dfc3dd43bf3f85922957e9ac8fb8a78f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\puzzle.pzl

Filesize
21KB

MD5
32b927e4f3e22d311d4e17a887151366

SHA1
5e43e7c9616e8c39b239eb0456143c09c6871426

SHA256
7af53273f30870ddb1f418f15f5d1b3df4139b97afa734a5c41602bb3e795400

SHA512
c71175fb816b2da260d0fcc74051c800c36370f4af55b3aa992dce8cf0b2045d9002fcae86f01e955f777e6b11e71f94b7a9fdf1b74f7329b1f5cca32279f267

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe

Filesize
304KB

MD5
61200441e7fae807bbc020d757466117

SHA1
4d575e2d302f10b2b0a5fa0eef1524c4e332d202

SHA256
ee8d5fec51d3e03d6ea1f90dad828bfcf0659bcab52cc61a356d86082ec8007d

SHA512
7551b47084efd743fe59ae0ebe044a7e8cd86f6c559e3e4c760bc0c97dc0945443a59e98eddc2b0c564bdd1c0720d168d8462e3b772f6019d9df93d091626c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\lang.ini

Filesize
10KB

MD5
cedfd1c79c51b026a3f87794150a5039

SHA1
d373440a1f2fd8581861d7b7090085c5484b6087

SHA256
ba5ef58a17d91c7f8f39d2da9e841a162c806269e6f2bb4b689a8e9b1d0a9a80

SHA512
f48718440741fbcd80cf5b764c20629f82a527e260cb31297d40cdce22e7c3ceaac69077dc54a87767a7eac2bc826fb8f9743273049d52b0891819a089808ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\skin.ini

Filesize
1KB

MD5
393a22419b84a1219194cd6542a23c93

SHA1
f480bbfb8009844782366a3dec2ad23266dc48bc

SHA256
c46fe077a9206c75b2a6068dd6929c09df9bc616adb3caf7f1443a90f0276468

SHA512
beadbda583bf63e31a247ddcea59d7033f6cfd385e6d6bf3fc3884855ddf4b04d05f1d739f36a19319263951605bdfc00a4cc11380d978ffe2b28d4c3d35bee4

Download Submit