6990f6b4d64d201a03bbe453adf5e969db920531222aef79c63ff245ab123b8c

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 17:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

026bcaa267fa50eff3b1afe4bd6accb4_JaffaCakes118.dll
Size

28KB
MD5

026bcaa267fa50eff3b1afe4bd6accb4
SHA1

709dd2d1f0b5f5190a97c4cad33a9d7ccc993712
SHA256

6990f6b4d64d201a03bbe453adf5e969db920531222aef79c63ff245ab123b8c
SHA512

d25baa2c651cc9b35d21702b83cb3363c7615983d4e39a6bd8b0fa5932225ce4a86a61c2de71991cb63e07708aa25c4af7eeeccb4926d6d3e33487d769974ed9
SSDEEP

384:YjfnodxlKYXQNb928jIjxVzXtL1Cq+XrgnhHhVkxUw5e1n9tnUEp5Mz5TP0:5VO88jAVB4mhVkzS993SRP

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1868	1752	rundll32.exe	31
PID 1752 wrote to memory of 1868	1752	rundll32.exe	31
PID 1752 wrote to memory of 1868	1752	rundll32.exe	31
PID 1752 wrote to memory of 1868	1752	rundll32.exe	31
PID 1752 wrote to memory of 1868	1752	rundll32.exe	31
PID 1752 wrote to memory of 1868	1752	rundll32.exe	31
PID 1752 wrote to memory of 1868	1752	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\026bcaa267fa50eff3b1afe4bd6accb4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\026bcaa267fa50eff3b1afe4bd6accb4_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-1-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/1868-4-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/1868-3-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/1868-2-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/1868-5-0x0000000040960000-0x0000000040971000-memory.dmp

Filesize
68KB

Download
memory/1868-6-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download