cbb6b99af779913a052d22571170c9f9bfb6ac4d25b46fd1f25ff20272f8c3c7

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

173cdd6147e2c5fbfc3270ee15e80a1f_JaffaCakes118.pdf
Size

13KB
MD5

173cdd6147e2c5fbfc3270ee15e80a1f
SHA1

af67e1553ff802e9b1dc5dc2d277d4bd62cc27dd
SHA256

cbb6b99af779913a052d22571170c9f9bfb6ac4d25b46fd1f25ff20272f8c3c7
SHA512

51a5a717a63575459451ba0bf34a91c5edb3cee6cbb8ef1c6d7380fa099b41403a4fd4016991dcdd21fa9c23614f9d2e5b2e762353da51ba317f39073ce8c560
SSDEEP

192:5QhzajYqwAO9G+/vCmnmNTy1yJZJ0Zhrx7Rv5VCXuvQNi/60un/TwWzz3:OhzaNwAO9GiCHZLJ0Zhrr/Qi/60G7wuj

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2216	AcroRd32.exe
2216	AcroRd32.exe
2216	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2576	2216	AcroRd32.exe	30
PID 2216 wrote to memory of 2576	2216	AcroRd32.exe	30
PID 2216 wrote to memory of 2576	2216	AcroRd32.exe	30
PID 2216 wrote to memory of 2576	2216	AcroRd32.exe	30
PID 2216 wrote to memory of 2576	2216	AcroRd32.exe	30
PID 2216 wrote to memory of 2576	2216	AcroRd32.exe	30
PID 2216 wrote to memory of 2576	2216	AcroRd32.exe	30

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\173cdd6147e2c5fbfc3270ee15e80a1f_JaffaCakes118.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 -s C:\Users\Admin\AppData\Local\Temp\wpbt0.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wpbt0.dll

Filesize
41KB

MD5
37fd70f7a43a8b179c7f84c09dfe5ef0

SHA1
7a5776f7b6f86e56db0898e9ae0f410d832ba19a

SHA256
4e54e8e8cf6bcab53c0e42807fdf3e140c30ea51a95b44ec88eb274abe72b1bf

SHA512
0204000d2ffb952abef3130e62ac78ead4b108a503ae356063fa149276e26219e397343a6ecb8a3a321001f9af924d58aadb74b84871cccf2eadcb1709f264bc

Download Submit
memory/2216-0-0x0000000002B80000-0x0000000002BF6000-memory.dmp

Filesize
472KB

Download
memory/2216-3-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download