337c4ea901d220d516cfa93e9afc705e43454eb9171f041ee5ad6b04d712db61

Analysis

max time kernel
92s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffea6b5b579530387ba1be822ae7ab49_JaffaCakes118.exe
Size

62KB
MD5

ffea6b5b579530387ba1be822ae7ab49
SHA1

20de6a02f0fe7e3c2b2a2f1bf6ec5a90708213b9
SHA256

337c4ea901d220d516cfa93e9afc705e43454eb9171f041ee5ad6b04d712db61
SHA512

34bb39b771f46acce4e08feb3e04ca6e01ade00a5123686c9a779144bd22d9e62d082743a66d5b586b80404d752a6005b081c422a3cb0fae9485852964ebde32
SSDEEP

768:7CiKtq5lT/XbZPyKpydn0mIeedim2BZ6Z8oIbitq8+slZLIFX2zLmXUTrV:+i6q7TfbZPvpydD3eNk6ZRGOq9HM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3596	Temptmp.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffea6b5b579530387ba1be822ae7ab49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temptmp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3596	Temptmp.exe
3596	Temptmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3332	ffea6b5b579530387ba1be822ae7ab49_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 3596	3332	ffea6b5b579530387ba1be822ae7ab49_JaffaCakes118.exe	82
PID 3332 wrote to memory of 3596	3332	ffea6b5b579530387ba1be822ae7ab49_JaffaCakes118.exe	82
PID 3332 wrote to memory of 3596	3332	ffea6b5b579530387ba1be822ae7ab49_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\ffea6b5b579530387ba1be822ae7ab49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffea6b5b579530387ba1be822ae7ab49_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temptmp.exe
  C:\Users\Admin\AppData\Local\Temptmp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temptmp.exe

Filesize
38KB

MD5
655f107961bba2c8e7722525c7bf4798

SHA1
754a76763d5a640a9e0ca08ee4ac708052c7b050

SHA256
1530fb47a6658b44aa8c7354bf9e8c9455d00826ffd38db4641a15e9eeb42531

SHA512
1a49b2a770e3741dc5e8017cadfdf3fb4753861cd3e70beaa15d8c7bdc587e43c9f902471b40aeb31822974450320943d5cb5d098cf15b7926d22f02ecddbacf

Download Submit