2b3ef0ee83fd79e2c40902d57944bf2eb5adfb8d20a9375140a2c1576ee1de55

Analysis

max time kernel
140s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe
Size

2.8MB
MD5

0f12c3f574b77fe9ee6874150c41ec38
SHA1

88e9e3b2009d06284d665d2edaf21181749aaa37
SHA256

2b3ef0ee83fd79e2c40902d57944bf2eb5adfb8d20a9375140a2c1576ee1de55
SHA512

a70999d07e3fd7ea533969d283f1f911bf091bded608fdb130173dbcdad1eef19e44c1b89dab11e7ab2aa3690b01a760a6482492819125b52f50d127f6af4418
SSDEEP

49152:EQFRHrmQG+AQG+qQG+VQG+XJQG+jqQG+d+XJQG+0OMR:EcKNjeafTp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3924	ejc.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3924	ejc.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3924	ejc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3924	ejc.exe
3924	ejc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 3924	800	0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe	82
PID 800 wrote to memory of 3924	800	0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe	82
PID 800 wrote to memory of 3924	800	0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\ejc.exe
  C:\Users\Admin\AppData\Local\Temp\ejc.exe -run C:\Users\Admin\AppData\Local\Temp\0f12c3f574b77fe9ee6874150c41ec38_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ejc.exe

Filesize
3.2MB

MD5
1d00c82849722f73c870be3e2ec5f259

SHA1
5a34bce115c471839c1c713c0623fbb887fb41a3

SHA256
b1747d6065d79e0ee6b7145739c736cacf30749e803d89df23f4297a547c07f1

SHA512
5bcd25f50bb9fb97f0d289f688ee8a14f6e2d194cc495759e51f193d7a65b86b1daaed9bca3a82f81ef456518eb29317cbe5214414fb9aae5a30eb181f5ddeec

Download Submit
memory/800-0-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/800-1-0x00000000022C0000-0x0000000002310000-memory.dmp

Filesize
320KB

Download
memory/800-5-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/800-4-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/800-9-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-8-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/800-7-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/800-6-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/800-3-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/800-2-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/800-38-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/800-40-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/800-39-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-37-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/800-36-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/800-34-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/800-33-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/800-32-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/800-31-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/800-30-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-29-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-27-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/800-26-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-24-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/800-22-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/800-21-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/800-19-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/800-18-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/800-17-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-16-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/800-14-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-13-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-12-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-11-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/800-10-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-35-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/800-28-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-25-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/800-23-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/800-20-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/800-15-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/800-41-0x0000000002D40000-0x0000000002D46000-memory.dmp

Filesize
24KB

Download
memory/800-43-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/800-42-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/800-44-0x00000000022C0000-0x0000000002310000-memory.dmp

Filesize
320KB

Download
memory/800-49-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/800-52-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3924-50-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3924-54-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download