d6b6f9acbae33c638230351c47f686a11a249951e0b056385aab72e889aea664

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2da3dcea4e5e586d010c02e922ce290c_JaffaCakes118.exe
Size

2.8MB
MD5

2da3dcea4e5e586d010c02e922ce290c
SHA1

291270065fb04b963bbb1674547148a63f289487
SHA256

d6b6f9acbae33c638230351c47f686a11a249951e0b056385aab72e889aea664
SHA512

0bb47c6fb1b5e9dc8ef4755e30ba905b212b945f1b23e49ed33654223eccffc822d057a9033f00c3036981f2a1d1a106290ecd5e9e2972a09ba0ec3a9a034918
SSDEEP

49152:1AGCplAJ8CCItRQt6B1te9z0BiYPF3tx71P:1YplERe9/uRf71

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4336	FlashAid.exe

Loads dropped DLL 1 IoCs

pid	Process
4336	FlashAid.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashAid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2da3dcea4e5e586d010c02e922ce290c_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4336	FlashAid.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 4336	1652	2da3dcea4e5e586d010c02e922ce290c_JaffaCakes118.exe	83
PID 1652 wrote to memory of 4336	1652	2da3dcea4e5e586d010c02e922ce290c_JaffaCakes118.exe	83
PID 1652 wrote to memory of 4336	1652	2da3dcea4e5e586d010c02e922ce290c_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\2da3dcea4e5e586d010c02e922ce290c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2da3dcea4e5e586d010c02e922ce290c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\FlashAid40.tmp\FlashAid.exe
  "C:\Users\Admin\AppData\Local\Temp\FlashAid40.tmp\FlashAid.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FlashAid40.tmp\BIOSHeader.ini

Filesize
198B

MD5
8c0146ba51058882b84e6bb9acd653dd

SHA1
f634b29348a67f7a16cfb57bde06ac9bea1d2fda

SHA256
ecf0b56ea097aff12d91367c688c05f9c6a5ecced8373a4fa58a4c66995a056b

SHA512
d15de2a254e9bfa13a61ec110f64e5673e2da9d0e088f7f4a26dbfc1a7b87e3d9bf1944bd472584974eb88643bea2b0190681f300393ae52434e0924f3fda43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FlashAid40.tmp\FlashAid.exe

Filesize
124KB

MD5
34d8a6bcf2b3279022abbe42a2fe31c8

SHA1
161adf732fe7594ead5657f90572c716af550834

SHA256
b3949457b9c0c5f2c18416b26d58213dc54752fe6ee7512cd927210110ebf560

SHA512
5c0cdfecec6a2c53d67a15efb43dc5b08bc0404f434d8819769f8d40aacc08bb1402a226701996a7ef7f10ddc85cc022ab68180d2cd2b78301793abdf5ac2c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\FlashAid40.tmp\FlashAidMSG_ENU.ini

Filesize
2KB

MD5
ec6610995c3495510de40347b14a4e97

SHA1
36e70fbeb1ef6a8ba8edcd98aa7a4bb8e7bea723

SHA256
1fd5158cbb341a292184755833a1d6df698dd8c49a0689cb46dcad1fdee30c4b

SHA512
26a7b91b08091e031374e0876629f5d6ab92f055a46ddad4c08eab4fb0676aafbd6579449ac43b8b7f9d513514b41eaddd94f2b1be85733da136a4f30028451c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FlashAid40.tmp\FlashAidRC_ENU.dll

Filesize
141KB

MD5
550b36b00cf6bdbd0c2183c59eab167b

SHA1
bcc24cc10de3c1cadff9c358de9ce6c20d1ac0ea

SHA256
3448e961faedcbc78efa539d12ff4d53b88ebe1b46fbcad2f17c0ee1ceaa6192

SHA512
8cfcc2406f32b00f8db500a600da9d0e83d3c3029e12baf014f265c53f00b43e22d073626e8f0ebfe7e217d511689898f62d7f8694e17e8d052c4164517c430c

Download Submit