62ce8dd8e2efdecdad6ec5e83ec9db1361ee0362bf5f2609ba6f575fb9942115

Analysis

max time kernel
144s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe
Size

2.5MB
MD5

002c617a8f6ace3962a53d82cc3ad25c
SHA1

ff80895517418679be99a1efd6883897fec85f4b
SHA256

62ce8dd8e2efdecdad6ec5e83ec9db1361ee0362bf5f2609ba6f575fb9942115
SHA512

6af3df336b068b0221a178d5e57a3aff56f5a886bc6425f4d81b84b8faed34325ef1a8bf504bb98e4dc316737a2b73e81529975f9ca7ef7a6a2420e8227a0d12
SSDEEP

49152:HVyWZ81TOVstRbMsRTzRUQX8W6ZBEG6Pyt:gWKNRbMsZRvXAZEat

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4984	setup.exe
1176	victoria43_cn_setup.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	victoria43_cn_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4984	setup.exe
4984	setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1176	victoria43_cn_setup.exe
1176	victoria43_cn_setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 4984	1056	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe	87
PID 1056 wrote to memory of 4984	1056	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe	87
PID 1056 wrote to memory of 4984	1056	002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe	87
PID 4984 wrote to memory of 1176	4984	setup.exe	88
PID 4984 wrote to memory of 1176	4984	setup.exe	88
PID 4984 wrote to memory of 1176	4984	setup.exe	88

C:\Users\Admin\AppData\Local\Temp\002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\002c617a8f6ace3962a53d82cc3ad25c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\g82A76\setup.exe
  C:\Users\Admin\AppData\Local\Temp\g82A76\setup.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\g82A76\victoria43_cn_setup.exe
    C:\Users\Admin\AppData\Local\Temp\g82A76\victoria43_cn_setup.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
1⤵
PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g82A76\GTemp.dat

Filesize
583KB

MD5
5d2f51fbb661b3971a742386ded258b6

SHA1
a4895d7cadbe2c5a2a71272ba3f6250f7f6b6cba

SHA256
4ca700b3824472591caf5dde0119047decfa703a0b2556ac756bef3e5d4e4327

SHA512
b2b6bab4f7b0a0ede7634f177200a695dc28e5cb928b008b47c3b9020b4cbeb30f81769bb90178fd6ea98f1002a1fe61c13594bd2495c418ee1444b0d1df25bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\g82A76\setup.exe

Filesize
699KB

MD5
eeac65dfca940a11bce198fb04f67bd6

SHA1
f21dce2b865e057dc959bbd35bdd3edb0e26c9dc

SHA256
a1df7e91ddd4c7f3beef918207421594d4741bca270671590e1e3e36dca94fd8

SHA512
67c7ff2931af074571564c0e829e81735306b898b20e32f67c6cb9620a2c9d41abd8b68ab6dc9b4b1b4b6856052cc3c299abc7a0d937d3554176a079d2f84955

Download Submit
C:\Users\Admin\AppData\Local\Temp\g82A76\setup.ini

Filesize
217B

MD5
6b0142abf5ada49604c5258608b02f3d

SHA1
c2d73805d4ab56b9a51a915d8d58c629fee69425

SHA256
11fd61dbfd2b1bb246f2c45f326acd94b17b9e5bef5a362e4fe0a14b68e37f2e

SHA512
d2bff53a1d047f410b147c436b6cb51e5bcbcb5da4e4891967af7c6403553b859f059f1f97a6d428a064e07f63d154584506d8b3223ae7a70919d356eecb8ca9

Download Submit
memory/1056-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1176-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4984-8-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/4984-14-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/4984-13-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download