bcde305899de7d321869027699e48cef7ad0b0bd5f4825a5d9e090b47922d748

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d6e8dced524b9680db0423264d0e45f_JaffaCakes118.exe
Size

100KB
MD5

2d6e8dced524b9680db0423264d0e45f
SHA1

26fc2750adc599f00e9435612d59745a5da08970
SHA256

bcde305899de7d321869027699e48cef7ad0b0bd5f4825a5d9e090b47922d748
SHA512

a6862d95e89cb27d9159483d4e7eca0302e0e2a839ad54cec5a9d83daddd35ae0dc17abf3f7991fc8d6697a0b42eb566110208adda4a82653cbc4950c741a46c
SSDEEP

3072:OhZDzzfqI0+8Rv4/VckYOmTqNC0OHLMr2HLVlC31T:wZ7Z0+MIYwCXHLMKrVA31T

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4784	runkasever.exe
5028	runsyskaka.exe

Loads dropped DLL 2 IoCs

pid	Process
4988	2d6e8dced524b9680db0423264d0e45f_JaffaCakes118.exe
5028	runsyskaka.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runsyskaka.exe	runsyskaka.exe
File opened for modification	C:\Windows\SysWOW64\runkasever.exe	runsyskaka.exe
File created	C:\Windows\SysWOW64\syskaka.dll	2d6e8dced524b9680db0423264d0e45f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runsyskaka.exe	2d6e8dced524b9680db0423264d0e45f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runkasever.exe	2d6e8dced524b9680db0423264d0e45f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\syskaka.dll	runsyskaka.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d6e8dced524b9680db0423264d0e45f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runkasever.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runsyskaka.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4988	2d6e8dced524b9680db0423264d0e45f_JaffaCakes118.exe
4988	2d6e8dced524b9680db0423264d0e45f_JaffaCakes118.exe
5028	runsyskaka.exe
5028	runsyskaka.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 5028	4784	runkasever.exe	85
PID 4784 wrote to memory of 5028	4784	runkasever.exe	85
PID 4784 wrote to memory of 5028	4784	runkasever.exe	85

C:\Users\Admin\AppData\Local\Temp\2d6e8dced524b9680db0423264d0e45f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d6e8dced524b9680db0423264d0e45f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\SysWOW64\runkasever.exe
C:\Windows\SysWOW64\runkasever.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\SysWOW64\runsyskaka.exe
  C:\Windows\system32\runsyskaka.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\runkasever.exe

Filesize
10KB

MD5
424d5b0fef73ace1e55506e3bad43b09

SHA1
bd4e161829ec442bd9e3513b52f96f385fb937c5

SHA256
35513b2aa5f471501ecaf911d8ed166ad8ac6e9b80ed7685fb7fc375d542ce0f

SHA512
0d6f45f9bc42d456d7abab69c04c1fbf05076aa5fbf4c598e5b6dd44f96bdcf9f1736afff5f70ce64b3e34f92f1cd05ade715b3e1a1065c26c53c8e498979d39

Download Submit
C:\Windows\SysWOW64\runsyskaka.exe

Filesize
100KB

MD5
2d6e8dced524b9680db0423264d0e45f

SHA1
26fc2750adc599f00e9435612d59745a5da08970

SHA256
bcde305899de7d321869027699e48cef7ad0b0bd5f4825a5d9e090b47922d748

SHA512
a6862d95e89cb27d9159483d4e7eca0302e0e2a839ad54cec5a9d83daddd35ae0dc17abf3f7991fc8d6697a0b42eb566110208adda4a82653cbc4950c741a46c

Download Submit
C:\Windows\SysWOW64\syskaka.dll

Filesize
41KB

MD5
f20bb79f61fcdbd70d9dbcec97cf20db

SHA1
89d03679a44edc2fbb2637563deddf00fc44f3ea

SHA256
d501f32123423d21e89eab3193b71036808bdb62af529a19b19c727202aaf809

SHA512
0f8ec98dee4dd951391591afc0c48bbf36cec9176e909ec76b1ebf0628eff3b06f1e98996278ca3b51ca1d4a17c124db1b9282b867210918d6e6108086a675db

Download Submit
memory/4988-1-0x0000000000400000-0x000000000042C0B0-memory.dmp

Filesize
176KB

Download
memory/4988-0-0x0000000000400000-0x000000000042C0B0-memory.dmp

Filesize
176KB

Download
memory/4988-2-0x0000000000401000-0x0000000000414000-memory.dmp

Filesize
76KB

Download
memory/4988-26-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/4988-28-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/5028-16-0x0000000000400000-0x000000000042C0B0-memory.dmp

Filesize
176KB

Download
memory/5028-15-0x0000000000400000-0x000000000042C0B0-memory.dmp

Filesize
176KB

Download
memory/5028-27-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download