98857fa2b676372e9e53f83f20a81200f92e57237878d7161f8941f7f86b5c96

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef52633da935075915cbcc6cfc58ce3d_JaffaCakes118.exe
Size

428KB
MD5

ef52633da935075915cbcc6cfc58ce3d
SHA1

d8ec62fecff05723bfe4560b48fa47f4ec343ef9
SHA256

98857fa2b676372e9e53f83f20a81200f92e57237878d7161f8941f7f86b5c96
SHA512

982fb10aeccb543cabf1e0c80e086ccf15bd4d986ca06b65eedd518261d97810222aaae162b8717a032c64084f863cdcc2bafb16ddf2184f8679bc6a92d6befc
SSDEEP

12288:N672VBCfPc1ds3JBPCYHtK6I/Uj0eXlBD3:I7sBCMWJBPJthlBj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2304	bndo.exe

Loads dropped DLL 1 IoCs

pid	Process
2824	ef52633da935075915cbcc6cfc58ce3d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef52633da935075915cbcc6cfc58ce3d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bndo.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2304	2824	ef52633da935075915cbcc6cfc58ce3d_JaffaCakes118.exe	91
PID 2824 wrote to memory of 2304	2824	ef52633da935075915cbcc6cfc58ce3d_JaffaCakes118.exe	91
PID 2824 wrote to memory of 2304	2824	ef52633da935075915cbcc6cfc58ce3d_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\ef52633da935075915cbcc6cfc58ce3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef52633da935075915cbcc6cfc58ce3d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\nsfAB31.tmp\bndo.exe
  "C:\Users\Admin\AppData\Local\Temp\nsfAB31.tmp\bndo.exe" /check
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3860 /prefetch:8
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfAB31.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfAB31.tmp\Single_BABYLON.ini

Filesize
3KB

MD5
76e93c2df9b1287caa695ba6f646a897

SHA1
8352225dc2cc4dd2bd75087b7f08dbc54e596b71

SHA256
e98ee0e7776b42326452370e2ae196f1a91b32ed0aff2555f02b09e4b3782f91

SHA512
d5acfee196216f56a48d285769cc1ebfd90873647f590b37de2dbdb9dbf464cade0af35a020b85d08f11bd2c37ca3a09e36dd0946db585d2e752a5a46d71428a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfAB31.tmp\Single_BABYLON.ini

Filesize
2KB

MD5
b3360e0a77cd3ca91e9dac16f1f3c807

SHA1
0aa18294b37fea8c1972c905f41a8d2c93f43253

SHA256
cef291664b5b87ac45a603554698621f07b1e4b3fcd9abe9b7b255e655fc50ff

SHA512
79f92ca8f5db71f6e80b2bfb16b808549541d4ba62e4693d4c3245c8734286ad59b5762036714f0fbe4de383d89f50a0aa98322edbd355a0bab275333810c3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfAB31.tmp\bndo.exe

Filesize
48KB

MD5
16e1952ff720626bb5922d7d71ef24f9

SHA1
da3439990054f6456e8e17beb379c99d6c8c5749

SHA256
14c022f69376c3d2bba033ed5ee8fe52ff88b418b86bf829d4f6ed4abcfe5f9c

SHA512
32c00a0b8955d5cc2b80ad64dcd7d235680c5b40bf49671b1d8d91d91a83405d804b76b58373efb8e7c3c1576f5f5c6da8864f319e41c2c2b0a81c690f5a16c4

Download Submit