4cd458e428a41dd74c2341cc401619e9781b870cbf56cbcc4cafda18f6453366

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd0baaafe40a31be68b254ea6f6747ad_JaffaCakes118.exe
Size

459KB
MD5

fd0baaafe40a31be68b254ea6f6747ad
SHA1

2b513b7f9c0bbfaf5aa6c3a5c81a99291defc5c4
SHA256

4cd458e428a41dd74c2341cc401619e9781b870cbf56cbcc4cafda18f6453366
SHA512

1d189270f4a40e52b35ae6527fb940dc9daaa1a7a21dab32bdf4d3db201e5309ef09c6ffa2bcada947f7f7fff83b3f42fe7fb083133a032eb3b09ce8d84d40dd
SSDEEP

6144:cwDYXpUeM68MJgyA6is7pcjisAfwf79ANeKnUjA8tXkk2pHPRjF0C3fYA:8M6LJgy3itQwz9PKnsA8kkCPRjNr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4476	worker.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd0baaafe40a31be68b254ea6f6747ad_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	worker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4476	worker.exe
4476	worker.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4476	1920	fd0baaafe40a31be68b254ea6f6747ad_JaffaCakes118.exe	82
PID 1920 wrote to memory of 4476	1920	fd0baaafe40a31be68b254ea6f6747ad_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\fd0baaafe40a31be68b254ea6f6747ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd0baaafe40a31be68b254ea6f6747ad_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\worker.exe
  "C:\Users\Admin\AppData\Local\Temp\\worker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\parent.txt

Filesize
459KB

MD5
fd0baaafe40a31be68b254ea6f6747ad

SHA1
2b513b7f9c0bbfaf5aa6c3a5c81a99291defc5c4

SHA256
4cd458e428a41dd74c2341cc401619e9781b870cbf56cbcc4cafda18f6453366

SHA512
1d189270f4a40e52b35ae6527fb940dc9daaa1a7a21dab32bdf4d3db201e5309ef09c6ffa2bcada947f7f7fff83b3f42fe7fb083133a032eb3b09ce8d84d40dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\worker.exe

Filesize
7KB

MD5
07ad28f3d9e5a5b0dbaa10a5c45d37c7

SHA1
a1a61f298d6f62de1808b622275b3e34ad54d855

SHA256
ae955e71be37ed8c82a9add05ce70638ba9c350128d87ac9c63de3ee81804db5

SHA512
91bd41196bb60e3db7d25dc2da22c4e9791946755ec4e9beb535d34d0265cc19c3eb9cf628b218292331237eaed3a74e6ca508026b6160621dff2f093a34bebe

Download Submit
memory/4476-13-0x000000001B5F0000-0x000000001B5F8000-memory.dmp

Filesize
32KB

Download
memory/4476-14-0x00007FFAEE0B0000-0x00007FFAEEA51000-memory.dmp

Filesize
9.6MB

Download
memory/4476-8-0x000000001BDE0000-0x000000001C2AE000-memory.dmp

Filesize
4.8MB

Download
memory/4476-9-0x000000001C350000-0x000000001C3EC000-memory.dmp

Filesize
624KB

Download
memory/4476-6-0x00007FFAEE0B0000-0x00007FFAEEA51000-memory.dmp

Filesize
9.6MB

Download
memory/4476-12-0x00007FFAEE0B0000-0x00007FFAEEA51000-memory.dmp

Filesize
9.6MB

Download
memory/4476-5-0x00007FFAEE365000-0x00007FFAEE366000-memory.dmp

Filesize
4KB

Download
memory/4476-7-0x000000001B8D0000-0x000000001B914000-memory.dmp

Filesize
272KB

Download
memory/4476-15-0x00007FFAEE0B0000-0x00007FFAEEA51000-memory.dmp

Filesize
9.6MB

Download
memory/4476-16-0x00007FFAEE0B0000-0x00007FFAEEA51000-memory.dmp

Filesize
9.6MB

Download
memory/4476-17-0x000000001FB40000-0x000000001FBA2000-memory.dmp

Filesize
392KB

Download
memory/4476-20-0x00007FFAEE0B0000-0x00007FFAEEA51000-memory.dmp

Filesize
9.6MB

Download
memory/4476-29-0x0000000021EE0000-0x0000000022686000-memory.dmp

Filesize
7.6MB

Download
memory/4476-30-0x00007FFAEE365000-0x00007FFAEE366000-memory.dmp

Filesize
4KB

Download
memory/4476-31-0x00007FFAEE0B0000-0x00007FFAEEA51000-memory.dmp

Filesize
9.6MB

Download