d8f4bd424e1913e865f6dc0aa398df5bf6497b4552f752f08486f2fcfd17f539

Analysis

max time kernel
137s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe
Size

88KB
MD5

432765a338db063b00cd6792f464f2d0
SHA1

862a0f6e4fc241e615b1feba0a91052c061638b1
SHA256

d8f4bd424e1913e865f6dc0aa398df5bf6497b4552f752f08486f2fcfd17f539
SHA512

9e6a7a789b23269de3d5c2f339dacbc2a2b887d5f66c23ad008ee7adf1059c3b4051e9f09c15c9d3274c1b23265823e3542186f2e814d6e44ab609f8333c3703
SSDEEP

768:9vAp1t17tP/1yT1p8HD3maxIdkzc1dWrpFjNN9thZnC8wm9VoEEEwu7YEyFoXC:9vAp1t17tXgT1iDvKaz9tznGmftmoy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3216	serivces.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\serivces.exe	serivces.exe
File created	C:\Windows\SysWOW64\serivces.exe	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\serivces.exe	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	serivces.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4540	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe
4540	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe
3216	serivces.exe
3216	serivces.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 3216	4540	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe	84
PID 4540 wrote to memory of 3216	4540	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe	84
PID 4540 wrote to memory of 3216	4540	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe	84
PID 4540 wrote to memory of 3040	4540	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe	85
PID 4540 wrote to memory of 3040	4540	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe	85
PID 4540 wrote to memory of 3040	4540	432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\serivces.exe
  "C:\Windows\system32\serivces.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\rs.bat C:\Users\Admin\AppData\Local\Temp\432765a338db063b00cd6792f464f2d0_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rs.bat

Filesize
105B

MD5
c33c3bd528b74ef8e010cd3b5f3950aa

SHA1
c8fafd5f2a514aaf64259565aaae8d0450444be3

SHA256
4a9b066077e5b57aaf2d54e23c023ed6558b89d4955a0f94e5c39257ad7e9df8

SHA512
92e85b2a6ea5d06b9258f37ded20605807fd26ec3b402452e90cde26148f05b609f336e6844b92d0357e84ba462ba9acab7ea1ee3de1693b7955301f458e87c9

Download Submit
C:\Windows\SysWOW64\serivces.exe

Filesize
88KB

MD5
432765a338db063b00cd6792f464f2d0

SHA1
862a0f6e4fc241e615b1feba0a91052c061638b1

SHA256
d8f4bd424e1913e865f6dc0aa398df5bf6497b4552f752f08486f2fcfd17f539

SHA512
9e6a7a789b23269de3d5c2f339dacbc2a2b887d5f66c23ad008ee7adf1059c3b4051e9f09c15c9d3274c1b23265823e3542186f2e814d6e44ab609f8333c3703

Download Submit