7cc662404c49ab5eab63bdaa6addc3f7455e74d6448a86ac7d56b3de5477c9a0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 10:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2fd4574410dcc58ba7db356c2c2f2394_JaffaCakes118.exe
Size

460KB
MD5

2fd4574410dcc58ba7db356c2c2f2394
SHA1

ee16178e74d59a8888dea2ac77bdc6619d383cb9
SHA256

7cc662404c49ab5eab63bdaa6addc3f7455e74d6448a86ac7d56b3de5477c9a0
SHA512

9807a6254b8bc8b52596bd5e29c917ff9d34e5be6c10039482cb0232938935dc7c1ad0e050ad752c1f2a16eacb9b968e4ce22a506276c70c8ddcfec638daff85
SSDEEP

6144:0XP2VguYIgrGRq6tHPbhpDEOb59H7wsh2iESrhtiJg3BGVP0SLDFEpojsJOY0:KkgrL6tAOb7H7jcSrDiWGVMUEpojsJq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4664	zsiilitzcpioq.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fd4574410dcc58ba7db356c2c2f2394_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	zsiilitzcpioq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4664	zsiilitzcpioq.exe
4664	zsiilitzcpioq.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 4664	2136	2fd4574410dcc58ba7db356c2c2f2394_JaffaCakes118.exe	84
PID 2136 wrote to memory of 4664	2136	2fd4574410dcc58ba7db356c2c2f2394_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\2fd4574410dcc58ba7db356c2c2f2394_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fd4574410dcc58ba7db356c2c2f2394_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\mgisajvngqihim\zsiilitzcpioq.exe
  "C:\Users\Admin\AppData\Local\Temp\mgisajvngqihim\zsiilitzcpioq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mgisajvngqihim\parent.txt

Filesize
460KB

MD5
2fd4574410dcc58ba7db356c2c2f2394

SHA1
ee16178e74d59a8888dea2ac77bdc6619d383cb9

SHA256
7cc662404c49ab5eab63bdaa6addc3f7455e74d6448a86ac7d56b3de5477c9a0

SHA512
9807a6254b8bc8b52596bd5e29c917ff9d34e5be6c10039482cb0232938935dc7c1ad0e050ad752c1f2a16eacb9b968e4ce22a506276c70c8ddcfec638daff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgisajvngqihim\zsiilitzcpioq.exe

Filesize
7KB

MD5
ed9f29dcad3d7177bb3a022a6148dbe9

SHA1
c13ff13952181c5aa5137c6bc1cddb924abacd33

SHA256
d29936029335e8eddb46e1c1f0b34ab469e78c7f3c4cf807264d50291726ef14

SHA512
21508b7a1ebff3aa167b35bebb8c6ca2e32089443c6a6fbd9456720038a6b94a891491c436cba1658e8c40022749cc11b48da69464b2a90b57ba87989bb02198

Download Submit
memory/4664-12-0x00007FFBB88C0000-0x00007FFBB9261000-memory.dmp

Filesize
9.6MB

Download
memory/4664-13-0x00007FFBB88C0000-0x00007FFBB9261000-memory.dmp

Filesize
9.6MB

Download
memory/4664-8-0x000000001BFC0000-0x000000001C48E000-memory.dmp

Filesize
4.8MB

Download
memory/4664-10-0x00007FFBB88C0000-0x00007FFBB9261000-memory.dmp

Filesize
9.6MB

Download
memory/4664-9-0x000000001C530000-0x000000001C5CC000-memory.dmp

Filesize
624KB

Download
memory/4664-11-0x000000001B7B0000-0x000000001B7B8000-memory.dmp

Filesize
32KB

Download
memory/4664-6-0x00007FFBB88C0000-0x00007FFBB9261000-memory.dmp

Filesize
9.6MB

Download
memory/4664-7-0x000000001BAB0000-0x000000001BAF4000-memory.dmp

Filesize
272KB

Download
memory/4664-14-0x000000001E6D0000-0x000000001E732000-memory.dmp

Filesize
392KB

Download
memory/4664-5-0x00007FFBB8B75000-0x00007FFBB8B76000-memory.dmp

Filesize
4KB

Download
memory/4664-17-0x00007FFBB88C0000-0x00007FFBB9261000-memory.dmp

Filesize
9.6MB

Download
memory/4664-26-0x0000000021D10000-0x00000000224B6000-memory.dmp

Filesize
7.6MB

Download
memory/4664-27-0x00007FFBB8B75000-0x00007FFBB8B76000-memory.dmp

Filesize
4KB

Download
memory/4664-28-0x00007FFBB88C0000-0x00007FFBB9261000-memory.dmp

Filesize
9.6MB

Download