49eaf18ae2ac6b374a36300cdbe4b215c217a107ead10cdc3213ae6a40d63102

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 20:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ff3c69348a45d49a42b89fcdf3d4e3a9_JaffaCakes118.exe
Size

88KB
MD5

ff3c69348a45d49a42b89fcdf3d4e3a9
SHA1

403ec8411ce73776a34bfe279c99d76f729fae5d
SHA256

49eaf18ae2ac6b374a36300cdbe4b215c217a107ead10cdc3213ae6a40d63102
SHA512

00fd2a0570551f6c2bfbc99494070249df37ae2d8ed94b908ff02900a508a96bf36fe2308029b273c376e5a074c13b30012bbceb816bb62380a0ce5cbf65bff9
SSDEEP

1536:teAZLLL1GXAQ5k8OvWNfk3QjWq6NmOaDraK/pCeUmu:4QB8OW6NmOa/aK/U4u

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff3c69348a45d49a42b89fcdf3d4e3a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2344	2092	ff3c69348a45d49a42b89fcdf3d4e3a9_JaffaCakes118.exe	82
PID 2092 wrote to memory of 2344	2092	ff3c69348a45d49a42b89fcdf3d4e3a9_JaffaCakes118.exe	82
PID 2092 wrote to memory of 2344	2092	ff3c69348a45d49a42b89fcdf3d4e3a9_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\ff3c69348a45d49a42b89fcdf3d4e3a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff3c69348a45d49a42b89fcdf3d4e3a9_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Free4.bat" > NUL"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Free4.bat

Filesize
3KB

MD5
ff4005dfae1fe3769e907ba1dcad2cef

SHA1
7b470152282a262bb3d97dabba1a95f4aefc49a1

SHA256
a0dfab7b178ac59973fa074ee558f81540fbea6a5f4645b937d067e1ac6613e4

SHA512
f3c136ce11a38f2df8ab7815b0d0fc591431789855c76a5b611e44b89c3489d7a2df62f7d7d075b7b0796b3db206b034f8a9c85b83e6edf864c4a9dcf9961af1

Download Submit