7909a74cb0a861e3d84305d0c1ff821a6b5f68136b53201ba6229776a9d488d8

Analysis

max time kernel
149s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 02:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
Size

5.1MB
MD5

54ec9134a517073b6143faf325fdb0dc
SHA1

34931855d8a94abaaea05670b007ca6cc5eaf8f7
SHA256

7909a74cb0a861e3d84305d0c1ff821a6b5f68136b53201ba6229776a9d488d8
SHA512

f3431390edfd1d32a3e29262026733f2647b64922f554d4890d7f42cf0cbcf0fd5b906fb01ea31b00f3c8c5a7b6cf2a06af0265f4534335c2061eedca818e4e8
SSDEEP

98304:pj6bq2gs/XZE6pno/AaHIR/nP3jeCs9WEgaFMBYw0ZVNGHrj6s1+Ki:lWE65o/AcIlnPnQLedgroP6s8z

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
4300	RunDll32.exe
4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe
4300	RunDll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4300	4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe	92
PID 4552 wrote to memory of 4300	4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe	92
PID 4552 wrote to memory of 4300	4552	54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54ec9134a517073b6143faf325fdb0dc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\OCSetupHlp.dll",_OCPRD530RunOpenCandyDLL@16 4552
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\OCSetupHlp.dll

Filesize
750KB

MD5
39b533683dd6bf334b8ed1832c5f082b

SHA1
ca833acb83e76cfa92a5aef42db0d61d151490bc

SHA256
fae6f456612b8661dd7c1b9bc3252f3b09ba6a7764af7f80c172edb5a4705b1e

SHA512
e47aedb5b598a814dbec6f5ec1ea14e9a153672f765c853f163354fdb99d7bcbe02275cae52a10b642eeb26e536a0bffe74868e9dc1c200ef59c54eab439faec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\finalTouch.ini

Filesize
597B

MD5
b5ed782ecc02894bc770e2bb4bc1bbc2

SHA1
0bfaea4eb10f4af4a6387f11a5b2578a6a5e27d5

SHA256
063397b466d8caed54b58903b718daf8315d4d45e98dfe4df20f7f5c7e154096

SHA512
eb3179ca144c7fc574c58b5e0111c560bd164a6101f2366a913fedc11117702153ddb72927983ee61a993e437f83d03c7587c1a1dd5794acda89d3741a7ac6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\finalTouch.ini

Filesize
597B

MD5
201e3bb7045d551283da0fc654703ac5

SHA1
d92a75b05b5e982d62585dc778cf84a4d90041d1

SHA256
40aef55643edb9bc41f456d8aaf7fdbf40f3e6435ccfadb26f8f47cee3f41130

SHA512
d361e0bbfce1823521356899c1be80e3a677180c9aa5ba1ea5a4bdaa81d5fa03b24772bea9b8b49f48ae27920381cecf6f89277387c9563da0c6440a8e0a030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\finalTouch.ini

Filesize
597B

MD5
047f27c050e4efa7e5e6133a48bfd7fb

SHA1
c5c955676519d338ba1dbefebbb7c8f22f01b32f

SHA256
061f51e77eac4a235b6120cb2a2bc2fa178c355341ae5b2296be75882deacbb9

SHA512
0b8ee8ec3db96485e2f55a6133c0501fc15429d56a79360117152105d508a3dcbffb78feaa4ee173d63ca728e025baaeaecf361a855d6706f44686f1a72635a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\finalTouch.ini

Filesize
597B

MD5
f6db8e32a6cea1a05c371cf6d036889b

SHA1
377632bb33a8a6c3404bd23ed734f9c7dcd9f143

SHA256
ddaa4d18669d4b06a75d169599dbc66a7ead1d7cb189497f65e9e7ea280aa184

SHA512
24b08b7861bc9093953ec375e99ce2abb2c4e3f64dd75725ccf26a5a9dcbe000d190db366442f62b7ee9fa3f1f76e8b4e4860d1f2a994ace1018927534d4c99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\finalTouch.ini

Filesize
597B

MD5
aa307ee17423a988dcf5aba204194c7f

SHA1
db0564239fc18fb77da056faa86e7037d53b8610

SHA256
f1c3d9f228dc7b96b0dc3965e6e5902895695fff8b6a975770108266a564a434

SHA512
67e993a59527962b8bbc7f3def17b8f154cbffc96c822e4fcfdf45eefb58a474d9fea17b4797a95a7936df984000095f49c9de84a661b178db58cae0818e512b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\finalTouch.ini

Filesize
597B

MD5
7e1bcc0f251e9e824468dacc98a98079

SHA1
6fd6d841a1af4400e848be337ea4ff11dab84946

SHA256
2ed34ad1bcc96e6db24417be9058c634a170a4fdc46a6d9d46adda67ceb51047

SHA512
74c0f2a88ddb5eade595acc30262dfb2ca74940374d416a5242822bbd79571e1d92d3bc08c6b90f98708a4b8b9d26ea0288104c55231479bc36f240df82abd9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\finalTouch.ini

Filesize
549B

MD5
1952f10a2b4ae0363f14f469e938ba07

SHA1
d40bb7f7f355ae5ef4784bfdc012202931380bbf

SHA256
d4734ceffd4b347af20fd3dd6beaae501ec664a2599b01958f7656565ce1e843

SHA512
beff1f5916f985e136ac7f081f8910285ac9fa61f16d2dcdfc0fec23dc05c876641b110884d03fbe879b5da057c3d9674d90563d69b2cc42f4a1cd93afe7a781

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv94DE.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
memory/4300-40-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4300-26-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download