73496cfa61d474e8fbc86a1453ede673bc0505c05263406546d7efa5f3424c31

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe
Size

1.1MB
MD5

0b88c1b4f810d893fe99b710c3f4fb5c
SHA1

3b2ef9b3445c4aedb574f5c69393d810f37807a5
SHA256

73496cfa61d474e8fbc86a1453ede673bc0505c05263406546d7efa5f3424c31
SHA512

efcf57adad8fd2f072637ab838b6cc7054ab0ca1ae0528f7038fcdefffa344a44370b248710c636a2735b76748b2e3406aeb906750fc53922f5bdd0927ca3ddb
SSDEEP

12288:R+oIkysFHreQ+5ZmVXVLJou+XUscQ2PSN/a+utQPUh+cJgGkGc45lY397KKNx8k9:RHosu5cliu+EKlyH+cgGkK/Y3f/yi537

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2996	qLFNNVLVMEFPxlTZxunz1.exe
372	qLFNNVLVMEFPxlTZxunz2.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qLFNNVLVMEFPxlTZxunz1.exe	0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\qLFNNVLVMEFPxlTZxunz2.exe	0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qLFNNVLVMEFPxlTZxunz1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qLFNNVLVMEFPxlTZxunz2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4728	0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 2996	4728	0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe	82
PID 4728 wrote to memory of 2996	4728	0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe	82
PID 4728 wrote to memory of 2996	4728	0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe	82
PID 4728 wrote to memory of 372	4728	0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe	83
PID 4728 wrote to memory of 372	4728	0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe	83
PID 4728 wrote to memory of 372	4728	0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b88c1b4f810d893fe99b710c3f4fb5c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\qLFNNVLVMEFPxlTZxunz1.exe
  C:\Windows\system32\qLFNNVLVMEFPxlTZxunz1.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2996
- C:\Windows\SysWOW64\qLFNNVLVMEFPxlTZxunz2.exe
  C:\Windows\system32\qLFNNVLVMEFPxlTZxunz2.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\qLFNNVLVMEFPxlTZxunz1.exe

Filesize
369KB

MD5
680aec5de860efc6c18a5e4d5fc05baf

SHA1
5c810215dcd3e100bd9c2bed21b061546759cb41

SHA256
b4a66598535cf700ed959746ee967e679c110808dc6aba9adaa29fcfbaaf0b00

SHA512
5477dd7c9e76a7e0fee8f1aaeb315c5d08f5eb77c14a6748061678c778e26d152b99b769ec5fe00b401a1fbe8532897b8d0cf03a8dbc37a91c65881f308b633d

Download Submit
C:\Windows\SysWOW64\qLFNNVLVMEFPxlTZxunz2.exe

Filesize
738KB

MD5
0a29fb967660184500327cd557525ba7

SHA1
e1b7773224180bf28f7149f7ba96ba97863f406c

SHA256
d8e0e1f44d8a323c9027df5c52ab597a5f20fa9520a3026874b8ac4bf2025f74

SHA512
bd0a3a9bd256cd7ebaa23af5cb3671163050c68e61679ddc4c0407643ecf743fcde847381372b37733f55cd6db58335187ca8f0f9d4db116685427bbc4a23c78

Download Submit