aadc0ef0b97635f1e84969904e64e69c25b4b94d5ce8e173217a78e358662f04

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 02:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.exe
Size

10.5MB
MD5

15ccd6890e0766579e035fd6fee17f64
SHA1

7f73d47eec67a74cc12c078b9eeb542a21ec3077
SHA256

aadc0ef0b97635f1e84969904e64e69c25b4b94d5ce8e173217a78e358662f04
SHA512

7d2cd1782734e6bc80c139c31beec903b642f05930e586abb577a48370cf95e57e59c60938b13d9fc08251445c9576a6e7fc84de381d6d54000a1ba41d51ffb2
SSDEEP

196608:Pi/lV2kSInj9ZK4Yo/BtzpxOZCq+Tc/ImHA4Cke03sQJWRZXcHtEdgQKbFw0Tp:P/kS83YoJtzpeCvTc/I4Fn7scHtEAFwI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4100	15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.tmp

Loads dropped DLL 3 IoCs

pid	Process
4100	15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.tmp
4100	15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.tmp
4100	15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4100	15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 4100	388	15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.exe	82
PID 388 wrote to memory of 4100	388	15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.exe	82
PID 388 wrote to memory of 4100	388	15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\is-TTIN9.tmp\15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TTIN9.tmp\15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.tmp" /SL5="$80050,10652319,53760,C:\Users\Admin\AppData\Local\Temp\15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-O2V5S.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O2V5S.tmp\gifctrl.dll

Filesize
13KB

MD5
aafb72be02a69880709ce0f831aca6cc

SHA1
7a099ac160efe301c23aec8d26636dbb3c8b745f

SHA256
6e6b107f43df35b336147599513474e846fad55b900ad366a81f87e32eaafd57

SHA512
4c5d963e6a74d38883597af28ce28dc071fa7558ad6d4825a3a00bff0482d526884fbf64e851ab6570d5ba0e9a83d2170684d2f0e5cbcfc84fc91bf56ece2d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TTIN9.tmp\15ccd6890e0766579e035fd6fee17f64_JaffaCakes118.tmp

Filesize
893KB

MD5
a7b95eef9a5021b809817e34b0a5fb87

SHA1
1799e541ae7ed113c708b7d07f0ab73adc09d4c1

SHA256
64871ea926f15af27147e831e7d6b548a127c72aa6b67e54936ceb746abd909f

SHA512
da303f28751c44a4450baf71843932067beb73d41c4ce5766ca14054e58d74dea37f2a33cf6b965e5b28041754e9bebd6782a3c98c7f75908d381deec3b355e5

Download Submit
memory/388-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/388-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/388-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4100-7-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4100-28-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download