92d549ead3ba0f83e8ee3f5a134f0d690dab4805078a44b9ca9fe8046075c953

Analysis

max time kernel
141s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 07:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe
Size

65KB
MD5

fe15f2153557fd74925e11471e3a996f
SHA1

b2919e8e03a3a0649f43b38dfded63ee8b092f9b
SHA256

92d549ead3ba0f83e8ee3f5a134f0d690dab4805078a44b9ca9fe8046075c953
SHA512

5b18d39d42234c7da45ad1b0f2e1e7c7118022078027bb35ad1099ad57727917e97ff2f10bcfa22c107df7eebd5b5565eadf6064bf4c50b4016464d80b1d3d36
SSDEEP

384:/TnWO+7OnCyU8aVt6UFcM/K6KQ15fD9CYoXgeKMhn21xD/S21xJ+qOeboYXeRxru:/SKzniQFXVgK21xieVNG41szy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1932	maxmin.exe
2252	otopark.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\maxmin.exe	fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe
File opened for modification	C:\Windows\system\otopark.exe	fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otopark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maxmin.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3468	fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1932	3468	fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe	82
PID 3468 wrote to memory of 1932	3468	fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe	82
PID 3468 wrote to memory of 1932	3468	fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe	82
PID 3468 wrote to memory of 2252	3468	fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe	83
PID 3468 wrote to memory of 2252	3468	fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe	83
PID 3468 wrote to memory of 2252	3468	fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe15f2153557fd74925e11471e3a996f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\system\maxmin.exe
  C:\Windows\system\maxmin.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\system\otopark.exe
  C:\Windows\system\otopark.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\maxmin.exe

Filesize
16KB

MD5
4c3a673ec912d5f289118525d5d904b6

SHA1
2eeb737cf1d7b7d87f801742fe45610d5e8eca32

SHA256
deff3fef9df0bb2aa1c4cfc45fbfb745732342bec532916b042ab5677bf21516

SHA512
420ce70d33cb2f857b8899ad8e484268487d3a886ec60f9b9248f57abf27b7423866d2a2f0c343c66535d99b3621f92a8c429f77e51a3f239f4b5a436368a1dc

Download Submit
C:\Windows\System\otopark.exe

Filesize
16KB

MD5
fd78a8b2801c8c91b04c1c3f7b948885

SHA1
3cbe34e84c8c2a781f7d64e78609b20b4bce12d9

SHA256
3e5105752ce01989bef0d791c2f8b95b1063cc9d302986d919d14df151f9a6ad

SHA512
94a0c2c09af10fcb479039ce77af2ce55bbacc5d29f7e37852caee10210f69464735566e400c329459b6f1fd31637b5316204da851f4d4a990d535f237e36aca

Download Submit
memory/1932-10-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2252-11-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download