02db2d8dbeb899225f5ee7e194aca16798d756dc55c451972b47d4a7693e601e

Analysis

max time kernel
140s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 07:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04ee73a2bc89bca03fa33caa856271c7_JaffaCakes118.exe
Size

3.0MB
MD5

04ee73a2bc89bca03fa33caa856271c7
SHA1

447e5f14da056733d205947aa147c3d04895bee0
SHA256

02db2d8dbeb899225f5ee7e194aca16798d756dc55c451972b47d4a7693e601e
SHA512

f3c888351ac8f5ffa7e6582d0e3739ac98dd30ba7935d2c04fc9ead9a8c3a5791ab62e2705e7e065dc3a101da228d22ec339a33c08412dc62ee7e2327249d15f
SSDEEP

49152:22b43yRUmb+8GsiftdAdu9pAmjX3+JAkpUTwHX5ROYcWWzEas3CknSOU14c5iU1y:PbGm7G5Amp1jGdUQUY2qnTUWoiu48KbN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4572	is-2DK50.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04ee73a2bc89bca03fa33caa856271c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-2DK50.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 4572	3352	04ee73a2bc89bca03fa33caa856271c7_JaffaCakes118.exe	82
PID 3352 wrote to memory of 4572	3352	04ee73a2bc89bca03fa33caa856271c7_JaffaCakes118.exe	82
PID 3352 wrote to memory of 4572	3352	04ee73a2bc89bca03fa33caa856271c7_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\04ee73a2bc89bca03fa33caa856271c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04ee73a2bc89bca03fa33caa856271c7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Temp\is-QJQR5.tmp\is-2DK50.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QJQR5.tmp\is-2DK50.tmp" /SL4 $5028A "C:\Users\Admin\AppData\Local\Temp\04ee73a2bc89bca03fa33caa856271c7_JaffaCakes118.exe" 2878631 61440
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-QJQR5.tmp\is-2DK50.tmp

Filesize
666KB

MD5
b003ea906e12280a22af09b29b0add98

SHA1
65c96f46e9b2948737549c9dc911188dd5e57bb1

SHA256
5b130f81d001bbeaac11914a06bd4c637a008dee65a5b5f6124188e158f74f4c

SHA512
055a4145fb0a3c8e36313d700f66b5d9073e0f80ec0a136e7cf6f1b6b36656c0e7ef4f7b855eb645e7ad20f993db3049a2e63c22b8bdc8ab55ded0f19ae3b1a2

Download Submit
memory/3352-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3352-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3352-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4572-12-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4572-14-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download