bb55a32b39309a1d9a8f6c7f12408e113938dbe489b70efdd35a62c30e6b8233

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
Size

24KB
MD5

52cd5cb4c8c3f83edb2daf3361e07875
SHA1

fbc9a38bc88e8223b8a8129a9e10f3783f2e980f
SHA256

bb55a32b39309a1d9a8f6c7f12408e113938dbe489b70efdd35a62c30e6b8233
SHA512

660dbd5428661067dc839a72342fcbcd3474523c15568d4746a85ee88f547c52adaa43d550efab0d9c8295a2809b6ac478ae3598f5449b16c41a90a266c12e9b
SSDEEP

192:ajcOeIg2N8KSok3GxRKt9Bl/VdBkQ8llnBCYmoelDEMwT9zHJgnQr71sP1oyaOUs:ajIimbBkQ8nBCXXZvGQQr7k1QOV

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4404	Googlenf.EXE

Executes dropped EXE 2 IoCs

pid	Process
2148	Googlenf.EXE
4404	Googlenf.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	Googlenf.EXE
File created	C:\Windows\Mation.inf	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
File created	C:\Windows\Debugs.inf	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
File created	C:\Windows\Googlenf.EXE	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
File opened for modification	C:\Windows\Googlenf.EXE	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlenf.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4868	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
4868	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
4868	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
4868	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
5060	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
5060	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
5060	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
5060	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
2148	Googlenf.EXE
2148	Googlenf.EXE
2148	Googlenf.EXE
2148	Googlenf.EXE
4404	Googlenf.EXE
4404	Googlenf.EXE
4404	Googlenf.EXE
4404	Googlenf.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 5060	4868	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	84
PID 4868 wrote to memory of 5060	4868	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	84
PID 4868 wrote to memory of 5060	4868	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	84
PID 5060 wrote to memory of 2148	5060	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	87
PID 5060 wrote to memory of 2148	5060	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	87
PID 5060 wrote to memory of 2148	5060	52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe	87
PID 2148 wrote to memory of 4404	2148	Googlenf.EXE	89
PID 2148 wrote to memory of 4404	2148	Googlenf.EXE	89
PID 2148 wrote to memory of 4404	2148	Googlenf.EXE	89

C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\52cd5cb4c8c3f83edb2daf3361e07875_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\Googlenf.EXE
    "C:\Windows\Googlenf.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\Googlenf.EXE
      "C:\Windows\Googlenf.EXE"
      4⤵
      Deletes itself
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
2279dc07a50bcb4b2efdb0ee6f65ad35

SHA1
30d28a56d1eb7419909647a8506b37c03f3b1607

SHA256
df09bc82b753a40162246e7295f94d1bbe8629c0c9897439c2e672ddc8cfbe3e

SHA512
83a927e91631f2c9fc7407e1388dd1915b6b942695eb21f46ba33084a80c8af65e3f9845f2749691efa1a45329b44834b0e5ca8fffba1ee3f95b5b077c3ec0b2

Download Submit
C:\Windows\Googlenf.EXE

Filesize
13.5MB

MD5
3185dbfaf3dfe53d2a33dce8a7dccf1c

SHA1
abbac21d8998927ccd32b858618be3a9d55ab6b7

SHA256
1295f00f6180b929c08e857eb699225b128af56a1d4464d411a81d5e78ee1b4f

SHA512
ccbefc12cfe0e73d47554d1d8dd59b429d2ab6452283906e9aa5fcae3112977b6a77e42628b62519c2f44ac88161174e257ca9d2e80d2122a13d77905836d9ae

Download Submit
C:\Windows\Mation.inf

Filesize
13B

MD5
e353e98883820415ad14807b2a97920f

SHA1
e0dd02b23270df333700e6f163cc84ad61e6bbfb

SHA256
d87401fe5397a05eaaa08623b898465764369ae13a9eb2c19f745b534d8750f5

SHA512
f3bcc630c0f7de4e144f9ec7b1dff1de033e56fb923ef5c7c96fdd5c59a1d50d89fc30c371ab569f61028c5fd3fe540a16ecefc0e2c26e5c4c3a15d98ff007c2

Download Submit