b2ee99a6cad33a17e632b52658a7a244e88b2db0e1ad5103d1f9e226d69b7f8b

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 02:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe
Size

618KB
MD5

088b979130fd3bd0fcba8e6c8e356be9
SHA1

7d190b76d8f0f00c0f6531dd9be6a623e780d1e1
SHA256

b2ee99a6cad33a17e632b52658a7a244e88b2db0e1ad5103d1f9e226d69b7f8b
SHA512

d18b549d230d6ba613fe4217c419460f02b43bf97957ca8fc660e71e0572995f74fdffc6e148bde5d66d38181a14b656d161bdce92ea0b94a44770370b66f4e9
SSDEEP

12288:H3XOndk7TbCMPW5A6X4tbAYkrYJAeZ1sug8Gy0t8wGpB5NPLvnbMaGEc9s6:H3edQbC8W5A0YirYhicGy0t8wQvbMZjd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3996	Utility Mang.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Utility Mang.exe	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe
File opened for modification	C:\Windows\Utility Mang.exe	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe
File created	C:\Windows\Uer.bat	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Utility Mang.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3996	Utility Mang.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 4628	388	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe	83
PID 388 wrote to memory of 4628	388	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe	83
PID 388 wrote to memory of 4628	388	088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe	83
PID 3996 wrote to memory of 3492	3996	Utility Mang.exe	84
PID 3996 wrote to memory of 3492	3996	Utility Mang.exe	84

C:\Users\Admin\AppData\Local\Temp\088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\088b979130fd3bd0fcba8e6c8e356be9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Uer.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4628

C:\Windows\Utility Mang.exe
"C:\Windows\Utility Mang.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Uer.bat

Filesize
214B

MD5
4356a7160d952014bca1701d44f8877b

SHA1
50e3106c78fae09f4d40a2622cb57620d16abe2c

SHA256
d79b2b8b2956235b518b6c5b86cf1bdaa512eceebba17b601474297d487e1124

SHA512
e0b66e58a248f8b9f30fdd7acabe052cb28ee3723b079b1a9f8b4f926f8c510554cdd1bdc14edbab67f162f5b923084c0c7cef992f6d0172bbf86b06cde2fdbd

Download Submit
C:\Windows\Utility Mang.exe

Filesize
618KB

MD5
088b979130fd3bd0fcba8e6c8e356be9

SHA1
7d190b76d8f0f00c0f6531dd9be6a623e780d1e1

SHA256
b2ee99a6cad33a17e632b52658a7a244e88b2db0e1ad5103d1f9e226d69b7f8b

SHA512
d18b549d230d6ba613fe4217c419460f02b43bf97957ca8fc660e71e0572995f74fdffc6e148bde5d66d38181a14b656d161bdce92ea0b94a44770370b66f4e9

Download Submit
memory/388-0-0x0000000000400000-0x00000000004A598C-memory.dmp

Filesize
662KB

Download
memory/388-1-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/388-10-0x0000000000400000-0x00000000004A598C-memory.dmp

Filesize
662KB

Download
memory/3996-7-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3996-12-0x0000000000400000-0x00000000004A598C-memory.dmp

Filesize
662KB

Download
memory/3996-14-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download