f5437e34677b0d0b48179015f99cd8696b2c8b01c1ca82e3b72f2a5f56c5799b

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b8a3f06af6657d22352e5e69b110a3b_JaffaCakes118.exe
Size

2.9MB
MD5

2b8a3f06af6657d22352e5e69b110a3b
SHA1

3d4b64fe3f1bec2843648f3968eaa02bed4410f8
SHA256

f5437e34677b0d0b48179015f99cd8696b2c8b01c1ca82e3b72f2a5f56c5799b
SHA512

f3d6b44df8665c7f99e2ecb5c2a236316f7091802d1e87bb21659325b66629daa55bcae4965b6b766f89ee02f65c156b85cf833a2dedc50f66329fc0801024a4
SSDEEP

24576:O+T1cKqSDupe4zw7d9iMhvLc9RrBVta4mcI3D0hPd+ft0z5Gfp18/oxW17/67XV/:O+SEl1TbhvKVyKgxm67CdSB+ecqWM

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b8a3f06af6657d22352e5e69b110a3b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4236	2b8a3f06af6657d22352e5e69b110a3b_JaffaCakes118.exe
4236	2b8a3f06af6657d22352e5e69b110a3b_JaffaCakes118.exe
4236	2b8a3f06af6657d22352e5e69b110a3b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 408	4236	2b8a3f06af6657d22352e5e69b110a3b_JaffaCakes118.exe	88
PID 4236 wrote to memory of 408	4236	2b8a3f06af6657d22352e5e69b110a3b_JaffaCakes118.exe	88
PID 4236 wrote to memory of 408	4236	2b8a3f06af6657d22352e5e69b110a3b_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\2b8a3f06af6657d22352e5e69b110a3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b8a3f06af6657d22352e5e69b110a3b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\qelizresa1.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qelizresa1.bat

Filesize
239B

MD5
b6bb0d55a3cb67f45bdbcf65ea930bbb

SHA1
0af867c35b956453b957f90debaa44bd8b7eca64

SHA256
c15274eedee7295c917740df144a612a0e200c665e84dd36e3ee801ebf481709

SHA512
ca5097c307975a0357dd39abf6c9f6730a24aee6600ac59a987bf7b87555902effdb5a5ec58434c9f5647e5962d68f2dffdd22a487d86fc0a164f08a2dcac07a

Download Submit
memory/4236-0-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download