78064d64163b921ffc5e20b4843d581d63cd5eeba12bfe7662f51a4a9574cb7d

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe
Size

471KB
MD5

39dc4ce0e74fc100a11c0eec55d900bb
SHA1

599d3bd643bbcd17b869966d34b7830771ef4772
SHA256

78064d64163b921ffc5e20b4843d581d63cd5eeba12bfe7662f51a4a9574cb7d
SHA512

8854d9fda1e4bea88499bdafa4f08a2c98337df23e4f8402b5ebef32f26dc895f0bfd8eb132320d1a30d1cdbf2d416dc0ff22e4bb0fb4d8c4b6f68f67d66f61d
SSDEEP

6144:E5fYH5EeQRFT7Zoi1jY0Ie++M0vLvsZ2tsR6lRStFaYcr/bK+gGfZBZoKQJrV51w:nQR17Zoi1LIeJMsvsrcl0tQRZydVnk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3988	wgapeuvubjtcez.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	wgapeuvubjtcez.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3988	wgapeuvubjtcez.exe
3988	wgapeuvubjtcez.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3988	5064	39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe	83
PID 5064 wrote to memory of 3988	5064	39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39dc4ce0e74fc100a11c0eec55d900bb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\wgapeuvubjtcez.exe
  "C:\Users\Admin\AppData\Local\Temp\\wgapeuvubjtcez.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\parent.txt

Filesize
471KB

MD5
39dc4ce0e74fc100a11c0eec55d900bb

SHA1
599d3bd643bbcd17b869966d34b7830771ef4772

SHA256
78064d64163b921ffc5e20b4843d581d63cd5eeba12bfe7662f51a4a9574cb7d

SHA512
8854d9fda1e4bea88499bdafa4f08a2c98337df23e4f8402b5ebef32f26dc895f0bfd8eb132320d1a30d1cdbf2d416dc0ff22e4bb0fb4d8c4b6f68f67d66f61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgapeuvubjtcez.exe

Filesize
19KB

MD5
41b6199415075e5e59f766b80f0de9d0

SHA1
8dee026bd21eb2835a31707300879e3d5c3fdaef

SHA256
9d97f6539209d1482e8510bc40a8bff668e7863adee6ebf51a46e6e912d585b5

SHA512
3f5c38cb855d7319b737f1cafb0b9b51fa93b12a91b8c35cd04e4a816dc2c5e8dc26dc50d0c653ddb037a75e6a560b2cbf618c74e013bf4ea6e90188bf3d4af2

Download Submit
memory/3988-13-0x0000000001450000-0x0000000001458000-memory.dmp

Filesize
32KB

Download
memory/3988-14-0x00007FFFF8720000-0x00007FFFF90C1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-8-0x000000001BC00000-0x000000001BC44000-memory.dmp

Filesize
272KB

Download
memory/3988-9-0x000000001C260000-0x000000001C72E000-memory.dmp

Filesize
4.8MB

Download
memory/3988-10-0x000000001C7D0000-0x000000001C86C000-memory.dmp

Filesize
624KB

Download
memory/3988-6-0x00007FFFF8720000-0x00007FFFF90C1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-5-0x00007FFFF89D5000-0x00007FFFF89D6000-memory.dmp

Filesize
4KB

Download
memory/3988-7-0x00007FFFF8720000-0x00007FFFF90C1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-15-0x00007FFFF8720000-0x00007FFFF90C1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-16-0x00007FFFF8720000-0x00007FFFF90C1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-17-0x000000001E960000-0x000000001E9C2000-memory.dmp

Filesize
392KB

Download
memory/3988-28-0x0000000022080000-0x0000000022826000-memory.dmp

Filesize
7.6MB

Download
memory/3988-29-0x00007FFFF89D5000-0x00007FFFF89D6000-memory.dmp

Filesize
4KB

Download
memory/3988-30-0x00007FFFF8720000-0x00007FFFF90C1000-memory.dmp

Filesize
9.6MB

Download