15be226231ee990233f181c74ad81a71205dcad0d212f33acf6c997f2867462f

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
Size

3.2MB
MD5

fc238d56038e9e5094038122ab07f016
SHA1

a6eb33748cf13f597e58f6d54e07dde03f5d041f
SHA256

15be226231ee990233f181c74ad81a71205dcad0d212f33acf6c997f2867462f
SHA512

76cad4bae7cb4c54c3b6ccbba6fc0e2d6511c8dbca07ae15738f4216c0e37be15e3a73b0b9a2fa4fd4be38d088694f2528a3f7fc3a313b4eb2c87a462a6b49a1
SSDEEP

98304:zvtgs39n1t0udUbvSIzHqxrweXZFhmU5j3sY:zvSs39nT7ivPKVtmd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4100	ns860A.tmp
4704	InstGameInfoHelper.exe

Loads dropped DLL 2 IoCs

pid	Process
3876	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
3876	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ns860A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstGameInfoHelper.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 4100	3876	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe	82
PID 3876 wrote to memory of 4100	3876	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe	82
PID 3876 wrote to memory of 4100	3876	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe	82
PID 4100 wrote to memory of 4704	4100	ns860A.tmp	84
PID 4100 wrote to memory of 4704	4100	ns860A.tmp	84
PID 4100 wrote to memory of 4704	4100	ns860A.tmp	84

C:\Users\Admin\AppData\Local\Temp\fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\ns860A.tmp
  "C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\ns860A.tmp" "C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\InstGameInfoHelper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\InstGameInfoHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\InstGameInfoHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\InstGameInfoHelper.exe

Filesize
98KB

MD5
ec08c1c867ded8f5221aefb969b161c1

SHA1
839866cc28b401d1d3f0f07aa8f13803f56b496a

SHA256
f3bd166834e626631abe30c2353dd1c015d8b9cf6b63cf94164478e6cbf3c0be

SHA512
34c35aab50e9207bdb50cb619c0882b585577b46cdd23710663dcfeceaca8b7c4248e082ad28c2718201225c42d0ad559ebd0ebe904a588d324d50d44774a7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\System.dll

Filesize
10KB

MD5
7d85b1f619a3023cc693a88f040826d2

SHA1
09f5d32f8143e7e0d9270430708db1b9fc8871a8

SHA256
dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18

SHA512
5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\ftdownload.dat

Filesize
512B

MD5
a7d80ce4c7651bdae8bbc2e149fe76b2

SHA1
46724d4b90d484f12e6d0531c25c5e7abfcedfd2

SHA256
b8b34eeae2da1840b5301665fd2e66def8c8a28836eb87752187f1510dc82eea

SHA512
4dff4dd2f1976c5bc829821def2ae9255348864280471a3141cdf368cfbcd5ed76264a361e67e7eaedf81895324d336978a3bdabc7abb5dda2cfc18cd0494f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\gametitle.txt

Filesize
7B

MD5
ef204df0430a7e6dc01fd819de9163cd

SHA1
0046d09b3d18e4bde7f8e917c5594790b27a708b

SHA256
5418d8082209dd2664d8d98045dc8f05d29f4057841f63250587c71e8dd8b001

SHA512
7b5cc5c1b86be312ea970ffc2b11297e7d56a152da5a3626b2c39e01b787d89e49dc93db43d1abe125ab1b706347b48a556892a84fde2736d845e27d47ffe96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\ns860A.tmp

Filesize
6KB

MD5
8c05c6c4c781d8da520ab78f9a4a1c98

SHA1
3e883bc548fb51c8ed1880c8b91d9fd4ccfb2033

SHA256
2cf3490717e10af42d7995a95cbb17df4dc7adf7ff143e9c386651c42b7a3c60

SHA512
d8ba933c457a0a53434d9993995fb3e94d4297d04d1af9bffedf20485b67bba7e6ef7ea18b821ae5d85dcb09b2e71fdc015fcccc949904b80cb17d90d0e2278b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\nsExec.dll

Filesize
6KB

MD5
907db8118c510976d58a75dd9cf7d0e3

SHA1
90446f992946000038807d2966fd71e30e61b1c8

SHA256
d166786a2091215ab6360853bc591e7045dd9bc697f45f0b19332b8d629af32e

SHA512
f2afc42f03d95ef68c113cb13b47f3b027e5cf8ce7b492a4c15867d72bcd81122d2c70786c52146ac65d5b9e137ed15324b7515f089be3b3efc6711dc0c6e146

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp85EA.tmp\tn_feat.bmp

Filesize
243B

MD5
ffa990f6cd91195745f708a74b7e0087

SHA1
ddf6c6302ad2278b192313094bf7295cc9c68691

SHA256
c6bbf5718fbb6c3d8c1d63a98432420a8c046201edf846d75005af80d4b7f4f3

SHA512
06edbe5190ef4369831753dd4d13fca8718708cc5d95b1d1b5692259b1a9508f8d9dea235a08074bbb8ce88fba616c6602563501eb26ab7ce36691027e44bd8f

Download Submit