fa2add80bb1309567340795a4b8b6c07754f51b30b2837b0d8b3a50caa1e5452

Analysis

max time kernel
95s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0841bf17e2e4a190588cd9be385418b3_JaffaCakes118.exe
Size

300KB
MD5

0841bf17e2e4a190588cd9be385418b3
SHA1

0eb093be439e660af920d8ee903310feb1b69647
SHA256

fa2add80bb1309567340795a4b8b6c07754f51b30b2837b0d8b3a50caa1e5452
SHA512

edfb60d39a1370d55fa0c105889222242750dd7304f76c395ce7914d01330386867d76e2ccc0947c33a3e14479ad0cfdc607ea1af0428b29eb8c154e9b8054e8
SSDEEP

6144:1zW/KFKexXI7tRrKwyjg2ruu6rFxpSDg9SCN6A3Vofam3A:ltx4BRrKwyjg+uxYUAy6A3Vzf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4800	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841bf17e2e4a190588cd9be385418b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4800	1076	0841bf17e2e4a190588cd9be385418b3_JaffaCakes118.exe	82
PID 1076 wrote to memory of 4800	1076	0841bf17e2e4a190588cd9be385418b3_JaffaCakes118.exe	82
PID 1076 wrote to memory of 4800	1076	0841bf17e2e4a190588cd9be385418b3_JaffaCakes118.exe	82
PID 1076 wrote to memory of 4800	1076	0841bf17e2e4a190588cd9be385418b3_JaffaCakes118.exe	82
PID 1076 wrote to memory of 4800	1076	0841bf17e2e4a190588cd9be385418b3_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0841bf17e2e4a190588cd9be385418b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0841bf17e2e4a190588cd9be385418b3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dif8C42.tmp

Filesize
878B

MD5
ae02c20e00c90ace106e6bb536cfbee2

SHA1
338bb672be71a809cabe5f5ea6e557d6d0abc6c0

SHA256
0b816466bd0ccaf7c559d33d2c8388e01322b6d053b45552bdc6eaae8e78e3b4

SHA512
c25c2e73f80a2d3d8b647cddc1a4e1e22a012d813c34920a6c68552d62d6f6456b4aabccce1c39209ef5efea5d9a08fed9d6a19519be6a3ac4d1c880532ee76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\data.pck

Filesize
345KB

MD5
a9e61ee985ebf5db9351663ab8a1bfe4

SHA1
ac7cc946428329d1c6810de1c33d045329ee214e

SHA256
f9bbaa1aaa5108a676f2343934b3217882cf18a24b5673349df2e5a7e48bcdd8

SHA512
4645105769ed16eec35fb9b1f051c912280cdcf8ca8b42070bba396e76051371ee4f13f929030d66f17cfaeb6e3bd75f6e0f83dbf32aa3984d048d256bc42600

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\index.scr

Filesize
878B

MD5
d6897ee950a50d97feb2f613584318da

SHA1
3dbced04522fd79f7b3e37d9246ade51d6a6d55d

SHA256
5423a017c3896e75ea150b54c743c7f97698f5caf1e7eccfac8097bf2c44d9d9

SHA512
211ac22011ab133a18273f21fcf59660226a38479e413357f580a82f3b7357ebefbcbe7128d04c15a2d1130cabe48438cbd3dfb47a9c825b754d1d7355d43ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\puzzle.pzl

Filesize
32KB

MD5
a5872b7676f685df4ccad14965f38542

SHA1
45debb9824a70afc83dea4a3951b0f40d9478f9f

SHA256
10aedc57b652433441e2fafc667e2e1200f81b2eb9ccdefa320aeffd73c8cd8c

SHA512
01b7b46b27355aaf79e4361d6eb5abc12c8dd3662ca0aa330b6c7ef6e6fc38004869d11fea9723d4e1b6e8da6003263e98f31f33c9563200e8adf2f02a65bb9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe

Filesize
304KB

MD5
61200441e7fae807bbc020d757466117

SHA1
4d575e2d302f10b2b0a5fa0eef1524c4e332d202

SHA256
ee8d5fec51d3e03d6ea1f90dad828bfcf0659bcab52cc61a356d86082ec8007d

SHA512
7551b47084efd743fe59ae0ebe044a7e8cd86f6c559e3e4c760bc0c97dc0945443a59e98eddc2b0c564bdd1c0720d168d8462e3b772f6019d9df93d091626c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\lang.ini

Filesize
10KB

MD5
cedfd1c79c51b026a3f87794150a5039

SHA1
d373440a1f2fd8581861d7b7090085c5484b6087

SHA256
ba5ef58a17d91c7f8f39d2da9e841a162c806269e6f2bb4b689a8e9b1d0a9a80

SHA512
f48718440741fbcd80cf5b764c20629f82a527e260cb31297d40cdce22e7c3ceaac69077dc54a87767a7eac2bc826fb8f9743273049d52b0891819a089808ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\skin.ini

Filesize
1KB

MD5
393a22419b84a1219194cd6542a23c93

SHA1
f480bbfb8009844782366a3dec2ad23266dc48bc

SHA256
c46fe077a9206c75b2a6068dd6929c09df9bc616adb3caf7f1443a90f0276468

SHA512
beadbda583bf63e31a247ddcea59d7033f6cfd385e6d6bf3fc3884855ddf4b04d05f1d739f36a19319263951605bdfc00a4cc11380d978ffe2b28d4c3d35bee4

Download Submit