05cdce2a1d0326505a28063e03772779004c4706d552596a54adb993d589224a

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 06:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

465dd00c0d76d0e44e4f4823378261c4_JaffaCakes118.exe
Size

68KB
MD5

465dd00c0d76d0e44e4f4823378261c4
SHA1

0cc591c7105113a128d8a2f7ff1e9d02f1322abc
SHA256

05cdce2a1d0326505a28063e03772779004c4706d552596a54adb993d589224a
SHA512

305351cdd92dc0d590b55b2a374cd92ec1c4954f9584219af0e8f50aa10bfa5b2c258abe6fb2d8addf12f8cc2fd33609c23e783144ca81fe14ec736bb3d1ab97
SSDEEP

768:5fkR5CpGd6Uarp57Cq8M572qzHoUXGV2JspP2QzNxr+/4dJrVyglypwmofXQl8g7:hknrd6Uq2p3z37BMwl68gog8bGXj

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2200	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	465dd00c0d76d0e44e4f4823378261c4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2200	1216	465dd00c0d76d0e44e4f4823378261c4_JaffaCakes118.exe	29
PID 1216 wrote to memory of 2200	1216	465dd00c0d76d0e44e4f4823378261c4_JaffaCakes118.exe	29
PID 1216 wrote to memory of 2200	1216	465dd00c0d76d0e44e4f4823378261c4_JaffaCakes118.exe	29
PID 1216 wrote to memory of 2200	1216	465dd00c0d76d0e44e4f4823378261c4_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\465dd00c0d76d0e44e4f4823378261c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\465dd00c0d76d0e44e4f4823378261c4_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
238B

MD5
f09561ab5432bbb69eb2bad6da6d4dff

SHA1
02000ae3e03422f2afece00a78a40653f2d6a4e8

SHA256
18f88c349b2631f5f81d69d281b52a90ca49857c28252ec43ef0016721e41da8

SHA512
8ba660052138c73fbf73b98ba24512a80ea1a346b9b4a0690e801c2f755cff667ba38f0f48b7c1f83419bd26a25781bb58118ffeefab27c3ffae7e1aa7a7aefc

Download Submit
memory/1216-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download