eb148775b1ecebf3cced4ce8404bb65b4964b133f2cda920682be66e24384e94

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe
Size

116KB
MD5

82716bb4b431ad6d5877e83e20aac059
SHA1

bc79916e193cbaf2fdfed23261ce9624451e94c9
SHA256

eb148775b1ecebf3cced4ce8404bb65b4964b133f2cda920682be66e24384e94
SHA512

9a621f623e57aa7a1abe5e906c821d13f8e00ca45d4d2136d141f7515eea67c979094ef09f7dbed1e2c422b444d22c33e01c3fbe16cd58f4e674abe9f4e3d459
SSDEEP

1536:EuZR7UI4XUFLL44WqEigJxwqSEXewmCOOHOpT20cm0E46s0DeiRqWkzfftLx44a+:E4R4Xu4xigVXFpHO120v/bem6ftQnB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
1840	servs.exe
2140	servs.exe
4412	servs.exe
4824	servs.exe
1288	servs.exe
4976	servs.exe
2172	servs.exe
3888	servs.exe
3004	servs.exe
2632	servs.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1840	3000	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe	86
PID 3000 wrote to memory of 1840	3000	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe	86
PID 3000 wrote to memory of 1840	3000	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe	86
PID 1840 wrote to memory of 2140	1840	servs.exe	102
PID 1840 wrote to memory of 2140	1840	servs.exe	102
PID 1840 wrote to memory of 2140	1840	servs.exe	102
PID 2140 wrote to memory of 4412	2140	servs.exe	105
PID 2140 wrote to memory of 4412	2140	servs.exe	105
PID 2140 wrote to memory of 4412	2140	servs.exe	105
PID 4412 wrote to memory of 4824	4412	servs.exe	108
PID 4412 wrote to memory of 4824	4412	servs.exe	108
PID 4412 wrote to memory of 4824	4412	servs.exe	108
PID 4824 wrote to memory of 1288	4824	servs.exe	109
PID 4824 wrote to memory of 1288	4824	servs.exe	109
PID 4824 wrote to memory of 1288	4824	servs.exe	109
PID 1288 wrote to memory of 4976	1288	servs.exe	112
PID 1288 wrote to memory of 4976	1288	servs.exe	112
PID 1288 wrote to memory of 4976	1288	servs.exe	112
PID 4976 wrote to memory of 2172	4976	servs.exe	113
PID 4976 wrote to memory of 2172	4976	servs.exe	113
PID 4976 wrote to memory of 2172	4976	servs.exe	113
PID 2172 wrote to memory of 3888	2172	servs.exe	119
PID 2172 wrote to memory of 3888	2172	servs.exe	119
PID 2172 wrote to memory of 3888	2172	servs.exe	119
PID 3888 wrote to memory of 3004	3888	servs.exe	120
PID 3888 wrote to memory of 3004	3888	servs.exe	120
PID 3888 wrote to memory of 3004	3888	servs.exe	120
PID 3004 wrote to memory of 2632	3004	servs.exe	126
PID 3004 wrote to memory of 2632	3004	servs.exe	126
PID 3004 wrote to memory of 2632	3004	servs.exe	126

C:\Users\Admin\AppData\Local\Temp\82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\servs.exe
  C:\Windows\system32\servs.exe 1188 "C:\Users\Admin\AppData\Local\Temp\82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\servs.exe
    C:\Windows\system32\servs.exe 1148 "C:\Windows\SysWOW64\servs.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\servs.exe
      C:\Windows\system32\servs.exe 1120 "C:\Windows\SysWOW64\servs.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 1124 "C:\Windows\SysWOW64\servs.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 1128 "C:\Windows\SysWOW64\servs.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 1132 "C:\Windows\SysWOW64\servs.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 1136 "C:\Windows\SysWOW64\servs.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 1144 "C:\Windows\SysWOW64\servs.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 1140 "C:\Windows\SysWOW64\servs.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 1152 "C:\Windows\SysWOW64\servs.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\servs.exe

Filesize
116KB

MD5
82716bb4b431ad6d5877e83e20aac059

SHA1
bc79916e193cbaf2fdfed23261ce9624451e94c9

SHA256
eb148775b1ecebf3cced4ce8404bb65b4964b133f2cda920682be66e24384e94

SHA512
9a621f623e57aa7a1abe5e906c821d13f8e00ca45d4d2136d141f7515eea67c979094ef09f7dbed1e2c422b444d22c33e01c3fbe16cd58f4e674abe9f4e3d459

Download Submit
memory/1288-21-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1840-9-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1840-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2140-15-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2140-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2172-25-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3000-8-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3000-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3000-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3004-29-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3888-27-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4412-14-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/4412-17-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4824-19-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4976-23-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download