9d2f29a7e18331c1ea68912e5efd237a95fd3b027fac44c1016f9dfde37f5244

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 07:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
Size

232KB
MD5

04c8d67eb6f2c8410479fd7ecddcb443
SHA1

29003e88336afd4452814b54479c9e467f0ba948
SHA256

9d2f29a7e18331c1ea68912e5efd237a95fd3b027fac44c1016f9dfde37f5244
SHA512

3fabc811b77cf2407085f8a2bcb85dd9437c89ace769147817c0130fb133178ee66fd70feed878275ebf82ffe60d75e1c5c06bb7e444018c24df1bde2f90fc0f
SSDEEP

6144:WVdHl5i0Mm6aQc6UeI77KVgS/wnjhHFpG4b32:WVdR16TBUJKVgk4jhGm2

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 976	1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe	82
PID 1824 wrote to memory of 976	1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe	82
PID 1824 wrote to memory of 976	1824	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E24A4048\_Setup.dll

Filesize
146KB

MD5
a3f3a3b608f9a6d604730cb689dc23c6

SHA1
67dbeb74940250916e0592e596aa492c09694f74

SHA256
4020fabec983278cb2f9b1eaa17cd9466bbdbd0842a35182e34ecd302ae9d342

SHA512
beb0ad1f1b2530366dbc366a642d27965d7e851055086d7c302612eae88d19a501d46c66737c8ee4d0d0c2915d9768cd4d2f1b8e5347bcc3480facdb73484c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\E24A4048\_Setupx.dll

Filesize
16KB

MD5
f17dce858db6f84c1c149f8aebb1ce58

SHA1
e54f8c536dd66610d0678a3532c4f8834b01abe6

SHA256
f32c9be19334ec4a212d173f43e3a97e08434000ff7cef8584afbf72e05ba845

SHA512
c08f9efb7a3514c7829d7c9bd0ef384bbe038e695021a089b354eab6e9c13408fab31a01f502013c27c1a50e2e223ad3c33f4ed7424498b4077091c0044b7ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu-0720.dll

Filesize
245KB

MD5
8c7a58965b71c9dfbf1a14d3369a2620

SHA1
26380249b9bdf1ab864b1c8fa4d01e4c28ba9b5c

SHA256
f94e3692cf74256ef5f9df081592603e5b3aac4490ce39cf88363c5f24fa5aa7

SHA512
97302e9a0f53fb7239c92049d61d65be2958de3d674cdc25fb2ac10424814930e982278d6d6e8df2e270116a5a1b7d1cfea14250aea99191f3efd571357c7023

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat

Filesize
44B

MD5
bbd2437f18ac85fc91ea3ce2eeda4348

SHA1
a9fa362b6d84bd8daa99a18d6fe1e326403761f6

SHA256
fba3793645f3c03b4ad148fb406748ab0810a591cce57240e9ded07e8e2f56f2

SHA512
3a0f8d699c22cbe9e1a8d3a93310612f8b15ea0a77c34a954123724a45f99a6330a1cd2917d317050b1ad4104919e403c29d841e57dcc092cc056ac6c846bf57

Download Submit