4c6fa8e3c0514082d364d995f157d5f4b3d9f2339aed47006eae23fe3025f530

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef4d5740e0152c792d763c4053d4e861_JaffaCakes118.exe
Size

3.5MB
MD5

ef4d5740e0152c792d763c4053d4e861
SHA1

7287802b40e87e93e444cc72d6e4857454ac503b
SHA256

4c6fa8e3c0514082d364d995f157d5f4b3d9f2339aed47006eae23fe3025f530
SHA512

d79f1c9ad2216f67b930a1c36f9d306fa29c98abeb13dd8f5999cc31bae839ed1153d9161a9eb18211361af613c4e585e604243735fe342ce9ddca912de9fd0a
SSDEEP

49152:fpJqZcTjVVZJRjDhQzfTKbf1uR/L3eiFD0ENV9JZ5QLX5qoEFZpA1yVL:fnqE1h6bKgR/ztz98pqoEFvayVL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3600	spltmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2700	ef4d5740e0152c792d763c4053d4e861_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef4d5740e0152c792d763c4053d4e861_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spltmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3600	2700	ef4d5740e0152c792d763c4053d4e861_JaffaCakes118.exe	82
PID 2700 wrote to memory of 3600	2700	ef4d5740e0152c792d763c4053d4e861_JaffaCakes118.exe	82
PID 2700 wrote to memory of 3600	2700	ef4d5740e0152c792d763c4053d4e861_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\ef4d5740e0152c792d763c4053d4e861_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef4d5740e0152c792d763c4053d4e861_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\spltmp.exe
  "C:\Users\Admin\AppData\Local\Temp\spltmp.exe" 1000 0 C:\Users\Admin\AppData\Local\Temp\spltmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsrC90F.tmp\InstallOptions.dll

Filesize
12KB

MD5
4c7d97d0786ff08b20d0e8315b5fc3cb

SHA1
bb6f475e867b2bf55e4cd214bd4ef68e26d70f6c

SHA256
75e20f4c5eb00e9e5cb610273023e9d2c36392fa3b664c264b736c7cc2d1ac84

SHA512
f37093fd5cdda74d8f7376c60a05b442f884e9d370347c7c39d84eca88f23fbea6221da2e57197acd78c817a74703c49fb28b89d41c3e34817cc9301b0b6485a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC90F.tmp\ioSpecial.ini

Filesize
736B

MD5
3c770acf979c1da201ca1e994e8b22b3

SHA1
4ac3499569357c873aed4ea1d5cd709e6d8af53c

SHA256
c1ef2d0e65386c4ab672b4131a793ed380c93aba474f53a654121ad784de0592

SHA512
d9b893ba444d865bad4c2c5abcfb18b0dc64390b5b49562c03b5c3ee76a99d17f802a4b8ac38151169896716c802521fbcd6ed4e7798f8b379c65e912af593f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\spltmp.bmp

Filesize
64KB

MD5
b795ad19015a3f113c50c4eb1d2504c1

SHA1
6c018b16f92e0d960366d439cb891ee7fabeb2f1

SHA256
ade2621f3f16a0466e6c59ccc3e94d43ffb3fe2e338d2ab4e3cb087dc327946b

SHA512
09d93bc584569d46fb7ad75f9b68c469d43cf7861a10713bd27e325c5c9f6294a650de7bda135d49fbcd4f0fb1c9f3d4db9ca14eb693a23ac753ea155c321faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\spltmp.exe

Filesize
3KB

MD5
4309709918dfd62cb3688b21bd5da293

SHA1
c568d498b5421128d99caaa7f5626e79e624f540

SHA256
3878d20e425de5cb7765b6a65869253ba96932e7d0d29e39e4bb2b20eb13fcb7

SHA512
7571f3d1b454100c8a2081cd1c2d15764aedfe131256df12dee47da602af9b09d2ba717572502a450f2dd9940ffad4610effebd46816a856c49d72117a752962

Download Submit