3c2a4caecf42c80e9dd3d3362367eef85b6fe9375606b358a102f822064db787

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe
Size

215KB
MD5

4255fbb794fadd4af673e8b88e9dbaae
SHA1

2291edc054aef3f1c56b223a10d17c4e2babf500
SHA256

3c2a4caecf42c80e9dd3d3362367eef85b6fe9375606b358a102f822064db787
SHA512

aba0d9f5967f6846109465b6ce76903cd07a70b946364dd1e3d1158c64c0007bb23bb3e58a0e726d178d17996affa9eb2684a977126ea97553ef9dcf3b86aa05
SSDEEP

3072:K0NiB49RpbQ5NtoCDpcroSREvsGXipzvI7txHw0sGqJk9AC93:rvQNaCDp4oO6skkzv6Q9DY

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2356	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2356	1668	4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe	31
PID 1668 wrote to memory of 2356	1668	4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe	31
PID 1668 wrote to memory of 2356	1668	4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe	31
PID 1668 wrote to memory of 2356	1668	4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe	31
PID 1668 wrote to memory of 2356	1668	4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe	31
PID 1668 wrote to memory of 2356	1668	4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe	31
PID 1668 wrote to memory of 2356	1668	4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4255fbb794fadd4af673e8b88e9dbaae_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Zqz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Zqz..bat

Filesize
238B

MD5
ab6e188f1bdd70635fbe5eba5022fda7

SHA1
c78ea0e7ea686f24309c5cade97f7bdc59a27ed6

SHA256
23784089f9ec850756bf53528e71138205805e747622f434fca61f82a615b30d

SHA512
82a3a456499dde039d45f7d1aa6462835137b46a7f6ca73e0f82610f198dc826a45d2a807ff85585ca4ba38ec0bfb0754ac9dcf25dd54ec521339da9561cfd11

Download Submit
memory/1668-0-0x0000000000200000-0x0000000000211000-memory.dmp

Filesize
68KB

Download
memory/1668-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download