b98fec9145ca901ef6082f90af14a96c6fae5288ed0d846c97311b637b898b0a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4e8c874e479356b589322d3b91b726b_JaffaCakes118.exe
Size

91KB
MD5

b4e8c874e479356b589322d3b91b726b
SHA1

643f04004571d1534f74f52e7b372247fc6eec59
SHA256

b98fec9145ca901ef6082f90af14a96c6fae5288ed0d846c97311b637b898b0a
SHA512

07c4a5b13a22f7e1d88191a46a165cabd0845339c6941a4fe4a00d02d0cdeee1faa7dbe1c3a7d77038e5bf98ea562e3014ed4f67c6172f576642d711be250299
SSDEEP

1536:URhoEXBpnbfRpQmJnQJMnTkKmvHQ5FxtPXVnSl/pKwKdFp9khm:UjJ7nbppQmJn7npmf2lnSlBEdjMm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2176	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
2176	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4e8c874e479356b589322d3b91b726b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 2176	560	b4e8c874e479356b589322d3b91b726b_JaffaCakes118.exe	83
PID 560 wrote to memory of 2176	560	b4e8c874e479356b589322d3b91b726b_JaffaCakes118.exe	83
PID 560 wrote to memory of 2176	560	b4e8c874e479356b589322d3b91b726b_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\b4e8c874e479356b589322d3b91b726b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4e8c874e479356b589322d3b91b726b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsiC063.tmp\InstallOptions.dll

Filesize
14KB

MD5
b18dfaded8f6d2380fdfd8f6b6969211

SHA1
969fa0e906240ab1123254feeb833c275626cf76

SHA256
747d0222b652dbfc85e0de4f8486473662d325a55e32c7eacb91e53e37ceba58

SHA512
25fb09b8657997d31e61c908f1cd08357c1a1b68bbb1ba377e87b6a3eb347a2ef96c1a771b6c4332853abb33728c55c83efa73df5da03f3dfc132f8a69a2886c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC063.tmp\UninstallReason.ini

Filesize
581B

MD5
470377cd8486d654a8e108e59dba1df3

SHA1
fb245291f3040805187ced8e019c02da3619cf46

SHA256
a0d2d939a77751c5a219adc6fb3619147718ec4552d962f1e75bd38b20664cd5

SHA512
80c715b99bd73fc5ccb2cc099f4f0c87133dec4a447dbfc63bbe67bdd51271defa67fc00e7d83d75e619cbeca4befc7b996abd5aa40d61e06bed8dfbf4afb71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
91KB

MD5
b4e8c874e479356b589322d3b91b726b

SHA1
643f04004571d1534f74f52e7b372247fc6eec59

SHA256
b98fec9145ca901ef6082f90af14a96c6fae5288ed0d846c97311b637b898b0a

SHA512
07c4a5b13a22f7e1d88191a46a165cabd0845339c6941a4fe4a00d02d0cdeee1faa7dbe1c3a7d77038e5bf98ea562e3014ed4f67c6172f576642d711be250299

Download Submit