aa9548ee6f4690c55415d1548a1b58de9a8f9f04b4dc0a1fa967146a2071b4ff

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38e61d0cd891820976af8f34c24592cd_JaffaCakes118.exe
Size

87KB
MD5

38e61d0cd891820976af8f34c24592cd
SHA1

85c64f28b79e3847858bff16204ad41badab18ca
SHA256

aa9548ee6f4690c55415d1548a1b58de9a8f9f04b4dc0a1fa967146a2071b4ff
SHA512

c51c8cffd3ceea7bc2b279877ac9b4b02efdfb63fe15a4fe446aa25df4b28396aafd07456072d76eb41c29ef1f72c8eba5d3a6909999adb588e55db27c7364c6
SSDEEP

1536:/ZunpOxXlJtnAU2QdG7kioFqjpRUwSEfDJLPCkdC1pRO85S:MpOxhAXQAVeV7p

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
60	_C£_C£.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38e61d0cd891820976af8f34c24592cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_C£_C£.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 2152	4264	38e61d0cd891820976af8f34c24592cd_JaffaCakes118.exe	84
PID 4264 wrote to memory of 2152	4264	38e61d0cd891820976af8f34c24592cd_JaffaCakes118.exe	84
PID 4264 wrote to memory of 2152	4264	38e61d0cd891820976af8f34c24592cd_JaffaCakes118.exe	84
PID 4264 wrote to memory of 1300	4264	38e61d0cd891820976af8f34c24592cd_JaffaCakes118.exe	85
PID 4264 wrote to memory of 1300	4264	38e61d0cd891820976af8f34c24592cd_JaffaCakes118.exe	85
PID 4264 wrote to memory of 1300	4264	38e61d0cd891820976af8f34c24592cd_JaffaCakes118.exe	85
PID 2152 wrote to memory of 60	2152	cmd.exe	86
PID 2152 wrote to memory of 60	2152	cmd.exe	86
PID 2152 wrote to memory of 60	2152	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\38e61d0cd891820976af8f34c24592cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38e61d0cd891820976af8f34c24592cd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264
- C:\windows\SysWOW64\cmd.exe
  /C _C£_C£.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\_C£_C£.exe
    _C£_C£.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:60
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_C£_C£.exe

Filesize
76KB

MD5
d1337b9e8bac0ee285492b89f895cadb

SHA1
93a2d7c3a9b83371d96a575c15fe6fce6f9d50d3

SHA256
b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88

SHA512
39ea0272654666df38f31fb053ad462d66aba295832a9962c448b1173864b71584f04a2dcc7820e1ac3cf0b9131a4eb5ebf5a553afbcff4b5ce4e9494a16d17d

Download Submit