307dd4b02d3719935565c4ec95211920b7aee40aa52242a462fc186036217b15

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 09:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fa1feffa5d596547add54fd11004ec10_JaffaCakes118.exe
Size

328KB
MD5

fa1feffa5d596547add54fd11004ec10
SHA1

8c4f527adc77b08fa71325347d6808c77ebb5ac4
SHA256

307dd4b02d3719935565c4ec95211920b7aee40aa52242a462fc186036217b15
SHA512

fcfdcb3865b795392c37f07818d60408df731c669be2176cbef0a47a9bbdc482557a7a678a12b609bc9479f7ebf7e8650e1634b392dd977d95cbf2e0d20cc913
SSDEEP

6144:1zW/KFKexXI7tRrKwyjg2ruu6rFxpSDg9SCN6MT/bt5bMavP4gyR1qF:ltx4BRrKwyjg+uxYUAy6k/bkan4gG1C

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2360	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa1feffa5d596547add54fd11004ec10_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 2360	1408	fa1feffa5d596547add54fd11004ec10_JaffaCakes118.exe	82
PID 1408 wrote to memory of 2360	1408	fa1feffa5d596547add54fd11004ec10_JaffaCakes118.exe	82
PID 1408 wrote to memory of 2360	1408	fa1feffa5d596547add54fd11004ec10_JaffaCakes118.exe	82
PID 1408 wrote to memory of 2360	1408	fa1feffa5d596547add54fd11004ec10_JaffaCakes118.exe	82
PID 1408 wrote to memory of 2360	1408	fa1feffa5d596547add54fd11004ec10_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\fa1feffa5d596547add54fd11004ec10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa1feffa5d596547add54fd11004ec10_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dif6AA1.tmp

Filesize
826B

MD5
27d991f6aef5ce3dfea2352b6eb3bc4e

SHA1
46abf6f7dd466c3426628e9a94f90c4b7bdf3fbf

SHA256
780b5d75c865b25f9b9b0f3b1913516323a407f44c3e759dc29bd5efc7e6fdf2

SHA512
0fcc5710702ad58bdcc987777d3fbefb93cff54a2406bf4c3d98f21f68de7467269b2b90d53e74b1c742ca7be222cce964cbca35568988c419750ce1341ff967

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\data.pck

Filesize
345KB

MD5
a9e61ee985ebf5db9351663ab8a1bfe4

SHA1
ac7cc946428329d1c6810de1c33d045329ee214e

SHA256
f9bbaa1aaa5108a676f2343934b3217882cf18a24b5673349df2e5a7e48bcdd8

SHA512
4645105769ed16eec35fb9b1f051c912280cdcf8ca8b42070bba396e76051371ee4f13f929030d66f17cfaeb6e3bd75f6e0f83dbf32aa3984d048d256bc42600

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\index.scr

Filesize
826B

MD5
edf624a3552997c651869d5a75338316

SHA1
528acc878a330610a95d1056ef24ee1fe4cb2c24

SHA256
209157b424159435bf1c0f9e9ddefa72571312076da49d9b8ef6dd18333e36f9

SHA512
6851a6bb72f677dbc0c55fbeec66c084c39b464711ef1e204db4b62aa811217a97c26f9626c10fce2785d38b3ac6725c705817fb9054f749cae3a7ce04ae31db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\puzzle.pzl

Filesize
60KB

MD5
8fa85c4232556cc5c29bbb18b69dbaef

SHA1
c95b02154ede837108618b7314a40f0d25810a3d

SHA256
52f742f814501293464a084fb8e8356243f61e0aeb67c90215a5a4cb537b27ac

SHA512
bf441c6b4ab6d829e6cf6d002978dfd3facdb571aab68514d3505562efd5ecb19dab62f33f925dfe0e3cfbed53aca0a48f8cb33ee21886496e33421714414c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe

Filesize
304KB

MD5
61200441e7fae807bbc020d757466117

SHA1
4d575e2d302f10b2b0a5fa0eef1524c4e332d202

SHA256
ee8d5fec51d3e03d6ea1f90dad828bfcf0659bcab52cc61a356d86082ec8007d

SHA512
7551b47084efd743fe59ae0ebe044a7e8cd86f6c559e3e4c760bc0c97dc0945443a59e98eddc2b0c564bdd1c0720d168d8462e3b772f6019d9df93d091626c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\lang.ini

Filesize
10KB

MD5
cedfd1c79c51b026a3f87794150a5039

SHA1
d373440a1f2fd8581861d7b7090085c5484b6087

SHA256
ba5ef58a17d91c7f8f39d2da9e841a162c806269e6f2bb4b689a8e9b1d0a9a80

SHA512
f48718440741fbcd80cf5b764c20629f82a527e260cb31297d40cdce22e7c3ceaac69077dc54a87767a7eac2bc826fb8f9743273049d52b0891819a089808ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\skin.ini

Filesize
1KB

MD5
393a22419b84a1219194cd6542a23c93

SHA1
f480bbfb8009844782366a3dec2ad23266dc48bc

SHA256
c46fe077a9206c75b2a6068dd6929c09df9bc616adb3caf7f1443a90f0276468

SHA512
beadbda583bf63e31a247ddcea59d7033f6cfd385e6d6bf3fc3884855ddf4b04d05f1d739f36a19319263951605bdfc00a4cc11380d978ffe2b28d4c3d35bee4

Download Submit