e4f50bc064bdceff344c2fbbc1a3b321e2ab0e4e1ca04a00c18f71e2c02282c9

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 02:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe
Size

40KB
MD5

085c83efca24105cfc11d45a33ca0b85
SHA1

3fe649505829bc38a61bcdac993ae1dd43e62ea7
SHA256

e4f50bc064bdceff344c2fbbc1a3b321e2ab0e4e1ca04a00c18f71e2c02282c9
SHA512

77eba4f2cced69ed119255ceb0ac4f8ab6cc8067be500e642022a67caecd07d9dfb3902b772ed4394f9d0dd4594ea4f75847c45211afa62295189c2d7d806369
SSDEEP

768:hSTZPXZihNrbcDRMJDmM+IrMHkMcOHRlPIucWJQVcFMyIoT/ZmufYocCSog2Jx:6XZqNEMJv+IrMHkdO7I7WCy3Zfwo5dgG

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2988	259413329.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe
2552	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	259413329.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2988	2552	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe	28
PID 2552 wrote to memory of 2988	2552	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe	28
PID 2552 wrote to memory of 2988	2552	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe	28
PID 2552 wrote to memory of 2988	2552	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe	28
PID 2552 wrote to memory of 2740	2552	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2740	2552	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2740	2552	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2740	2552	085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\259413329.exe
  C:\Users\Admin\AppData\Local\Temp\\259413329.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0e764718.bat" "C:\Users\Admin\AppData\Local\Temp\085c83efca24105cfc11d45a33ca0b85_JaffaCakes118.exe""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0e764718.bat

Filesize
38B

MD5
e814208df58ba7afda78819c96fcd164

SHA1
60778e83d11c3c3fba0b2efe6c4deac95a9a3954

SHA256
ea66d9bbb20c62f0781f414cf4d2fc547cd9540816726340ee6203552d23b0ee

SHA512
f69baa4dd6f373141bf8c495aae01442ab969ff33a24006d0a9186c1baa951f25f7727e2250bfe1ef8b3df2a0c1aca182fa909248eac73db9ef69111c9a9feb3

Download Submit
\Users\Admin\AppData\Local\Temp\259413329.exe

Filesize
36KB

MD5
e2e64be87ff0e633226a0597bb611f75

SHA1
52f1887e266e0b63352c90e9a334bde432164906

SHA256
50e99310a2a36e406c916717a6150090913c2a5072b3389fe3920df8a8a01f90

SHA512
bd8340e7b5adb3f0d6239a2b2b704c01437146579240d121850242c10fd18dda98b4cdcfd61d667dff755db93415f359e3af521fd33bfacc3f23bfef9e34ad6a

Download Submit
memory/2988-13-0x000000002E5C0000-0x000000002E5D1000-memory.dmp

Filesize
68KB

Download
memory/2988-14-0x000000002E5C0000-0x000000002E5D1000-memory.dmp

Filesize
68KB

Download
memory/2988-9-0x000000002E5C0000-0x000000002E5D1000-memory.dmp

Filesize
68KB

Download