f31757dfa48aea3c0f7e36fea02b5c200031b04300cd29572da0d7545eacefae

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe
Size

147KB
MD5

05d0a9e62e982032084f2383e5e4386e
SHA1

be1b8cabba26a9aa4086fa15e3b7f386a841e59e
SHA256

f31757dfa48aea3c0f7e36fea02b5c200031b04300cd29572da0d7545eacefae
SHA512

bd73842bce377fd69a674e35697e38f88993fe7b9a8e5a90521fb424acc0a568795d01d19d2cb5b7ac922ceb1db29acb0fbf68deadba8dd0dd68191a771ef466
SSDEEP

3072:ZAh4oFNDdmJf45Y/B66FYxo8x1luV4l84ZFnOMAv4DqqSna:ZMY5tFSo+1r80OMAv4u/na

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
4396	05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe
4396	05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe
4396	05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe
4396	05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe
4396	05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 2940	4396	05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe	81
PID 4396 wrote to memory of 2940	4396	05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe	81
PID 4396 wrote to memory of 2940	4396	05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05d0a9e62e982032084f2383e5e4386e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c \DelUS.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
228B

MD5
fc62c0edeaa77d114f0f0001172ee619

SHA1
11d89169398f476d4679b7adfa5e8a5a36283ecb

SHA256
48533ffe13201eaf80fff8f7524c8bbd080eba54aaa4c08dd79d749d3f679fab

SHA512
4bd22ae132e21d7881443635b23d0d42f4452c4cb43ecbb67f05aad951ac8cc88f40ff83f9f1b7fa6ddc5697e688c1ff57360b9e8b29718c589c62c3643a6569

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslD504.tmp\DBCount.dll

Filesize
92KB

MD5
523c8f7a466a7ab488615c26f972aa43

SHA1
de7cee6f1f7a5dcc413fddbb939c844a04c0631c

SHA256
343ce0e3713a74f4ee80315e8f03641f44a3328b1bb61ed12157d69dad5a4f34

SHA512
bea9486209e0d4ecc851ab8b1cbd68a1bd0a6067b6302c6c7aa9e3fa546940f6f78f4c96e0c324946eddcd67e6f20ccd99375dc4b6ed64df38da6676bf60a351

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslD504.tmp\Math.dll

Filesize
66KB

MD5
468914ab4ea3afc6fda29031c758394e

SHA1
d3b632778a03567efa761401151bfe80d0fe956c

SHA256
8a8d78657f0f6b44f18b16e7eea3e62eef6720e04cd2efc820d62bbe987afac1

SHA512
0b3df17a3a17a82ba7092ff384c7d820d9f1103fcfa732fb399cf0ff065ec6913a73bea433e19ad787bccf272059e39d196322445d9a6327bb25738f343926ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslD504.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslD504.tmp\System.dll

Filesize
10KB

MD5
32465a07028b927b22c38e642c2cb836

SHA1
309cac412b2ecf6a36f6e989c828afcdd8c7a6e4

SHA256
eda545d4dcb37098a90fce9692d5094bb56897f04eff6d40e3dedd122a4d1292

SHA512
9d886a722bbbb5d8d77e97d256057fe685f1932042257a8382e13548fe835d01c64de65e2b5ad2c2ff99692b14c924e6ddb84797f6224f1772e8699b421e6aff

Download Submit
memory/4396-10-0x0000000002800000-0x000000000281A000-memory.dmp

Filesize
104KB

Download