b17a103fb339befe9dc988abf974010471e0cee4fdf29ba44c5bc9700ebd9f07

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb64f94c6d3b6b8cecc6e54a89bc08c2_JaffaCakes118.exe
Size

4.2MB
MD5

fb64f94c6d3b6b8cecc6e54a89bc08c2
SHA1

db19937686b7679c8571a95f56c72236c3f9a755
SHA256

b17a103fb339befe9dc988abf974010471e0cee4fdf29ba44c5bc9700ebd9f07
SHA512

9e31aa44195be229c8fe8b7521d02d4dba8e4b161df2d785a38f8a9a8443d5dc497648f9570c5528018404568e86eb411e36695b6cea86a4a666b6f2cb69784c
SSDEEP

98304:emhd1UryeB1JVLn0EmK9xtjVLUjH5oxFbxCVLUjH5oxFbx:elTJZJ3lVUjZEdCVUjZEd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2368	95CA.tmp

Loads dropped DLL 1 IoCs

pid	Process
2340	fb64f94c6d3b6b8cecc6e54a89bc08c2_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb64f94c6d3b6b8cecc6e54a89bc08c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95CA.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2368	2340	fb64f94c6d3b6b8cecc6e54a89bc08c2_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2368	2340	fb64f94c6d3b6b8cecc6e54a89bc08c2_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2368	2340	fb64f94c6d3b6b8cecc6e54a89bc08c2_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2368	2340	fb64f94c6d3b6b8cecc6e54a89bc08c2_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fb64f94c6d3b6b8cecc6e54a89bc08c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb64f94c6d3b6b8cecc6e54a89bc08c2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\95CA.tmp
  "C:\Users\Admin\AppData\Local\Temp\95CA.tmp" --splashC:\Users\Admin\AppData\Local\Temp\fb64f94c6d3b6b8cecc6e54a89bc08c2_JaffaCakes118.exe 1CBF32C89E3A43785E05CDEA1B2596A8AD62D11961DCD3CECEBC42C48ED8FBE0B016BB18D8EA936A8306B2AA7A48F7D7183E1497A1A11ACEB6419B9450700E5E
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\95CA.tmp

Filesize
4.2MB

MD5
381cce509f8e42b0235a7c6dc61864a1

SHA1
89e2d4eb40b56e251853baa6c95db1678936484d

SHA256
e95f382435b8892847a04009ff4e9ede00200984318c2d899b8ec53fbcf6c5b8

SHA512
fc4a68b3bfefb5bdb4c055bf4a7b428389fdf1fa1321662299a27940e9fde2c097e8b280516ab95bdd218d5a5e4b5bb1e08fe2404935a6d412c5da23b087474d

Download Submit
memory/2340-0-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download
memory/2368-6-0x0000000000400000-0x0000000000849000-memory.dmp

Filesize
4.3MB

Download