76b814bd8f4db6fb6c11a69f30d321a94a9cd6aac3ec31bf8e1b4732027d4119

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
Size

289KB
MD5

fa0ccd0a4ef9885f1efd7c0048ebfbb2
SHA1

c62a84152d431aca31dd62a141bb19b2f51b27a6
SHA256

76b814bd8f4db6fb6c11a69f30d321a94a9cd6aac3ec31bf8e1b4732027d4119
SHA512

8b385e921163d01328a3e02d35375d43fcc6f1aebbc457cb4fecb7ae368a02f9c9f86a4e094b7996631ef8d1ec5f0ca9f57ae62ad3eb7d264f1fe12211cb94da
SSDEEP

6144:Ee34fgKkTNgc75+ZPPfnE2Qyn2LdazTH6N0tkl3KKJDvQQ9+AAD6aOtHG:SIBF+ZPPfnEUnKdafO0Md2eaOc

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 11 IoCs

pid	Process
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CScript.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1928	660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe	83
PID 660 wrote to memory of 1928	660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe	83
PID 660 wrote to memory of 1928	660	fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa0ccd0a4ef9885f1efd7c0048ebfbb2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SysWOW64\CScript.exe
  C:\Windows\system32\CScript.exe "C:\Users\Admin\AppData\Local\Temp\CID\hi.vbs" //e:vbscript //NOLOGO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CID\hi.vbs

Filesize
595B

MD5
25c40add31499978fc31b3f49bf4faf3

SHA1
860367f37722375997104414f51e95d0916890f8

SHA256
611e3e66c75703890ac4585771ccad6c51731646f291b67c349d86c87afff713

SHA512
6ab15b81a4c22d36d0c2e0ac9a779f7462b6afae8e16bb6be4ca42f66ae468c3c45b879c82288cce6727cecceba52cc6839771946fb39c94915a7f954b67a82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq885B.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq885B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq885B.tmp\ginetc.dll

Filesize
471KB

MD5
70e3b20d184751b642b06c5a7855c455

SHA1
89b00dc942e9c4965765acdb08b3e4a392f2af66

SHA256
92e693d3d8be731a66a314e5f15cfad1f4e656f3fee3d32e9e9a736b80be46c1

SHA512
48318557e3eb67379b8a8732457ef07864d4dd7a711f22834f883aaa66dbdab01b490a8928c831690e9aadc1514dfb559731142d7c10afd3e75550ab303a0dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq885B.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
memory/660-10-0x00000000022A0000-0x00000000022C6000-memory.dmp

Filesize
152KB

Download
memory/660-29-0x0000000002A90000-0x0000000002B0C000-memory.dmp

Filesize
496KB

Download