2ca0ff4b6a6859388c04033ebc61501ccaea8108d527b39883ce604f0fa54e87

Analysis

max time kernel
139s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55bd1beb4e9f5600f240880940657992_JaffaCakes118.exe
Size

1.9MB
MD5

55bd1beb4e9f5600f240880940657992
SHA1

72974a5d29194f13cf59378f368c8e9618f24b74
SHA256

2ca0ff4b6a6859388c04033ebc61501ccaea8108d527b39883ce604f0fa54e87
SHA512

77e69b3267afc3eeee66b024593fc8a0407c9a29c39aa078aab18f85b393217ceede3f5e5f824593b6bc09d513251ff80f882a50b794833f7ebed36076a4d414
SSDEEP

49152:Qoa1taC070dKaCW0bQaNA5gn/WSRkLiKXYP+RU2xqW4l:Qoa1taC0Bvq5g/ZKXa+Rjf4l

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
876	8A10.tmp

Executes dropped EXE 1 IoCs

pid	Process
876	8A10.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bd1beb4e9f5600f240880940657992_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8A10.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 876	4036	55bd1beb4e9f5600f240880940657992_JaffaCakes118.exe	87
PID 4036 wrote to memory of 876	4036	55bd1beb4e9f5600f240880940657992_JaffaCakes118.exe	87
PID 4036 wrote to memory of 876	4036	55bd1beb4e9f5600f240880940657992_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\55bd1beb4e9f5600f240880940657992_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55bd1beb4e9f5600f240880940657992_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\8A10.tmp
  "C:\Users\Admin\AppData\Local\Temp\8A10.tmp" --splashC:\Users\Admin\AppData\Local\Temp\55bd1beb4e9f5600f240880940657992_JaffaCakes118.exe C7C3123355BF2E05CD115533096EE5E4808EE00A8C1B852CCC80EB1510FEBEC0EAEC8FB064E25EBB10A477282A2845CB26266576E3185B9A162B8801D089734B
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8A10.tmp

Filesize
1.9MB

MD5
c9e846086a4acf6759859f4139731e39

SHA1
e65432c3c0caa6dee8f39794d7bd8ee54473334e

SHA256
f5cc95ff8eb8e7d2541e77ec7ca8a5e0008668173bbb1a0916c4442c306d69ae

SHA512
a6d3641c2f1a7fdd65a51ec327ff2e739213c52e2de25048d3dcaedd7c10fc9a5584b43b79f9a369ff1407e51c8a6070604111dae74e01aae18b1a8a09f79ff4

Download Submit
memory/876-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4036-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download