d2b6ee82df435d2f956c97e7b0d65d43f789ec0214ad357581a246ec953ff8da

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe
Size

280KB
MD5

2fb1acd22aeab531557d8c830a8e39de
SHA1

76ccd7c05418e8b00e69a8974cbda9160a78e440
SHA256

d2b6ee82df435d2f956c97e7b0d65d43f789ec0214ad357581a246ec953ff8da
SHA512

61a5b9182b09f563f78051396e564273191ed0cd547919b0b3d7e0a223827658bac4fec3a191ea2e496e43a5c30f7e1433135df7b1e2dee8f5a0cbc0cf82cb3d
SSDEEP

3072:Yej8cRQ/ro3Fs5Uij0/5PTbI0l7BRATIsaBPiG7c0EylSDBNYTsuZfj:Yej8+Q57j65PTL77wGBr8DTYwuZb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
684	jbbcmc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbbcmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2808	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2808	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4088	4796	2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe	84
PID 4796 wrote to memory of 4088	4796	2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe	84
PID 4796 wrote to memory of 4088	4796	2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe	84
PID 4088 wrote to memory of 684	4088	cmd.exe	86
PID 4088 wrote to memory of 684	4088	cmd.exe	86
PID 4088 wrote to memory of 684	4088	cmd.exe	86
PID 4088 wrote to memory of 2808	4088	cmd.exe	88
PID 4088 wrote to memory of 2808	4088	cmd.exe	88
PID 4088 wrote to memory of 2808	4088	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysmrukv.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\jbbcmc.exe
    "C:\Users\Admin\AppData\Local\Temp\jbbcmc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:684
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aegjss.bat

Filesize
170B

MD5
55841d0433c8b556ab856ee3dc113f5e

SHA1
6c0f81d932f2469114673c642d6e207e368d2cac

SHA256
73ed02b02275c0edb2337b2e17f8588c62ea7c0415607a11872646d4417be19d

SHA512
f6f1280572b4bb12e5abc525d4c48c25f4634856847b8cb5cb57ea053330e443ff0b6551117d8a663c63c461376283f719eb10a23683ebdaa72ed310cf8f8a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbbcmc.exe

Filesize
180KB

MD5
dd6b19d235ccce1a733f8fb311d7b6f3

SHA1
362e243bd0230c4b730d3f74a73f1e510099f08f

SHA256
dc08ca3b655c3438c8786edddd6c2b309a6e85a5911bc24a13cd655cd6a00c17

SHA512
1d5e86d2b488abc862d6ba9ba4fa4c267cb6a6495c3ae916d1083215374f707a269413287db06ad89398c92fa045b21c6148dc006248c7f9caf78963052ee9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysmrukv.bat

Filesize
124B

MD5
a152faae8bb57d2edb1e760a3dce89f1

SHA1
205abc27a7dc855288bc1e9990557e58367baa20

SHA256
564e1c2ad2ffffdde020773d5d34480865ee7c92559fc9e0fde8faf37bac7992

SHA512
739cf42f3de0a17b53aa6faa48865613f70953db2660c100bf1b0291f158a6b8fab6b63158ea29681e21902f85719bec361458629da54b1af1aa47060c9f3c34

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads