992b4220281326703a3c0bb50f033ea13abe2276dbccb51517f3c05e6f8e499a

Analysis

max time kernel
137s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

113f23738639b0e964a0eb780c9a2d73_JaffaCakes118.pdf
Size

13KB
MD5

113f23738639b0e964a0eb780c9a2d73
SHA1

4ec6fca882b2e3845dc53c68ceb5e2485cc3b7dd
SHA256

992b4220281326703a3c0bb50f033ea13abe2276dbccb51517f3c05e6f8e499a
SHA512

c348814836c72a18242980fa1c4c9217524a6b00d21bf1e52fe8832789c915ed52554a1a93f51cb2d66881b8fc5255d69c4f4bd0adccff4889b493e4c11d587b
SSDEEP

192:rQhzajYqwAO9G+/vvTs7hXbfym4GJVbBftJy/suiXCvQNi/60un/T8qvROdjzwu:shzaNwAO9GiM5fdtttQQi/60G78s4djN

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1712	AcroRd32.exe
1712	AcroRd32.exe
1712	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2972	1712	AcroRd32.exe	30
PID 1712 wrote to memory of 2972	1712	AcroRd32.exe	30
PID 1712 wrote to memory of 2972	1712	AcroRd32.exe	30
PID 1712 wrote to memory of 2972	1712	AcroRd32.exe	30
PID 1712 wrote to memory of 2972	1712	AcroRd32.exe	30
PID 1712 wrote to memory of 2972	1712	AcroRd32.exe	30
PID 1712 wrote to memory of 2972	1712	AcroRd32.exe	30

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\113f23738639b0e964a0eb780c9a2d73_JaffaCakes118.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 -s C:\Users\Admin\AppData\Local\Temp\wpbt0.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wpbt0.dll

Filesize
1KB

MD5
0945abaf36ca159bd7d52bcfbc6ff059

SHA1
5281e5f378bb3c33bd973310b6557b9ab5cc65ee

SHA256
368736d870bf7c66899f3a8f4a80c44c927a48d56d49e38c72471289e762ba18

SHA512
5c0ad4b0770ea0dc88c543c86e5bc2b693a9ab85ee7bb6326b2a11fa72228e7e52db20a6113831be46c2baaebebb8354476c5cf89bf36970019bd7676f3bdad2

Download Submit
memory/1712-0-0x0000000003BA0000-0x0000000003C16000-memory.dmp

Filesize
472KB

Download
memory/1712-3-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download