d4043b77c395f3bbe10de168d7d2d18888f02065257f98ab2fc1d96449f7a054

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

032e1dd317bd9cd6b72e8be5166c72b6_JaffaCakes118.exe
Size

1.9MB
MD5

032e1dd317bd9cd6b72e8be5166c72b6
SHA1

1b4728eadb7bca6a60bcf20b5b2ec83da5c275e1
SHA256

d4043b77c395f3bbe10de168d7d2d18888f02065257f98ab2fc1d96449f7a054
SHA512

810c37b22fd85fb1cde2317a33ed868242d1b1380da7bfab7801346fd57d619d9371171c23c2eb8ae135e57fc942367df40b3d4687bf36ddbee6e5e09616711e
SSDEEP

49152:Qoa1taC070dwJTuL6LSh2DIZd2F0uFcPybIFYs:Qoa1taC0X4LYmeF0uFcq8Fx

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2240	84F8.tmp

Executes dropped EXE 1 IoCs

pid	Process
2240	84F8.tmp

Loads dropped DLL 1 IoCs

pid	Process
2648	032e1dd317bd9cd6b72e8be5166c72b6_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	032e1dd317bd9cd6b72e8be5166c72b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84F8.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2240	2648	032e1dd317bd9cd6b72e8be5166c72b6_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2240	2648	032e1dd317bd9cd6b72e8be5166c72b6_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2240	2648	032e1dd317bd9cd6b72e8be5166c72b6_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2240	2648	032e1dd317bd9cd6b72e8be5166c72b6_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\032e1dd317bd9cd6b72e8be5166c72b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\032e1dd317bd9cd6b72e8be5166c72b6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\84F8.tmp
  "C:\Users\Admin\AppData\Local\Temp\84F8.tmp" --splashC:\Users\Admin\AppData\Local\Temp\032e1dd317bd9cd6b72e8be5166c72b6_JaffaCakes118.exe 7E3768D425872ED60C563613668C935E0E4F4EF8B57543893E1601F23A919092C20629F30765198BFE34615A6B57C7928C4964C344CC717D3C45F33AF7BAC865
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\84F8.tmp

Filesize
1.9MB

MD5
71fbccf9d95bc2ff267eed56b7462ebb

SHA1
cdee39371187024001ba08113b085e51c321bd82

SHA256
8781d19bc4892fbdd66a04a35def0e26505bac82c6ed016412d61a1cc7cca4c0

SHA512
3fe8f86d294049c16f142c1a9d61248d35a1256babfe94789f8768855bc11cc5a32e0fde73324d07e72cfc5e449e70cb10dfe20c7f3c31a75eee941ec0894a24

Download Submit
memory/2240-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2648-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download