cbed86fba602ec21ec468e8461ba9a58fa68ba53fb3576fa4467285b1e166a7f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

101ecac967d3050731e32273b78d3da2_JaffaCakes118.exe
Size

2.4MB
MD5

101ecac967d3050731e32273b78d3da2
SHA1

4dc317f6b0c7d08bc48e4279ed6064c24d8711cd
SHA256

cbed86fba602ec21ec468e8461ba9a58fa68ba53fb3576fa4467285b1e166a7f
SHA512

10a54a6b6e4e1d57cc9e7f60afd7ae67638b4c74849f848db79fbfd82b59dfad905705413dced7904639ced2b9e21b4120ed78948a762b5533a2624c0469dd33
SSDEEP

24576:cuUTmNOrDY84Dt/XdYzBdu+CNIK2wad3Jd8Jyn7Z7JzC8DsHoMTMtbixxH0GP+CX:cUN849wxy3UfhqYOlDMvc

Score

7^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000002342d-3.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2876	e5772a0.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	101ecac967d3050731e32273b78d3da2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5772a0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2876	e5772a0.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2876	e5772a0.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4464	101ecac967d3050731e32273b78d3da2_JaffaCakes118.exe
4464	101ecac967d3050731e32273b78d3da2_JaffaCakes118.exe
2876	e5772a0.exe
2876	e5772a0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 2876	4464	101ecac967d3050731e32273b78d3da2_JaffaCakes118.exe	82
PID 4464 wrote to memory of 2876	4464	101ecac967d3050731e32273b78d3da2_JaffaCakes118.exe	82
PID 4464 wrote to memory of 2876	4464	101ecac967d3050731e32273b78d3da2_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\101ecac967d3050731e32273b78d3da2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\101ecac967d3050731e32273b78d3da2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e5772a0.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e5772a0.exe 240612000
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\e5772a0.exe

Filesize
2.4MB

MD5
dfcb50335523616f70b0ea0cbfb4f818

SHA1
a3f1ecd7313336820b1bfdcb84f53fa137f0a7b4

SHA256
beb514f09a821f8ebe0c3b6d5163f933c5a72c39124497f913dcdda656f80f0f

SHA512
1c43a118f893ff9911c78c0e798aa6b2a6095eb7c75db0518fc2f83386051dba3b15d165b1861e1c63099349b8eb17ce86e90b1cdd1b2631fb96cd67c1e9336f

Download Submit
memory/2876-5-0x00000000771FA000-0x00000000771FB000-memory.dmp

Filesize
4KB

Download
memory/2876-10-0x0000000000400000-0x00000000006C6028-memory.dmp

Filesize
2.8MB

Download
memory/4464-0-0x0000000000400000-0x00000000006C6028-memory.dmp

Filesize
2.8MB

Download
memory/4464-9-0x0000000000400000-0x00000000006C6028-memory.dmp

Filesize
2.8MB

Download