3baa3d9cd392c10bc58d887a195ee7d04a96fbab39b3fdbccf577a65f4dacca4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5c920ac385636eb67027a5a7a53153b_JaffaCakes118.exe
Size

582KB
MD5

f5c920ac385636eb67027a5a7a53153b
SHA1

cc6386dec3489c0791e21936fbb41f7b847399e3
SHA256

3baa3d9cd392c10bc58d887a195ee7d04a96fbab39b3fdbccf577a65f4dacca4
SHA512

497a9572284ae5619a7d9f6cc633b139fd85446ff99937479edd88cc5626a89613468e0fb54c863435d7cb1809df9f147ffcb6ff9c3c98a92e7302c7183ad575
SSDEEP

12288:44knqxpZUhJCBHE0sPvg80xee7t6CH7R+oqJ16ZM7oG1:oni4P3Pvg8Uwytv5ZK1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4620	Application Updater.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5c920ac385636eb67027a5a7a53153b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
396	f5c920ac385636eb67027a5a7a53153b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	f5c920ac385636eb67027a5a7a53153b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4620	396	f5c920ac385636eb67027a5a7a53153b_JaffaCakes118.exe	84
PID 396 wrote to memory of 4620	396	f5c920ac385636eb67027a5a7a53153b_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\f5c920ac385636eb67027a5a7a53153b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5c920ac385636eb67027a5a7a53153b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Roaming\Application Updater.exe
  "C:\Users\Admin\AppData\Roaming\Application Updater.exe"
  2⤵
  - Executes dropped EXE
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Application Updater.exe

Filesize
3KB

MD5
e30c847cf18a0c965e591fddad62a9cf

SHA1
699f9dffe24e53cc0d128c32c60d830ac012212a

SHA256
f7a6179db2054de171a9b445e0d45c74b9836eb881f413c4418c117e202f2b6c

SHA512
41a3b41f70bb0d34c676b58e232b1b1bc97cf37e6a58fa18c75213b69af163a4ffcd7a8ed49baed020d07b64e8cc0f45a9a2a843ef3061ec9b5544218dc40f44

Download Submit
memory/396-0-0x00000000749D2000-0x00000000749D3000-memory.dmp

Filesize
4KB

Download
memory/396-1-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/396-2-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/396-10-0x00000000749D2000-0x00000000749D3000-memory.dmp

Filesize
4KB

Download
memory/396-11-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/396-12-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/4620-7-0x00007FFCD4E25000-0x00007FFCD4E26000-memory.dmp

Filesize
4KB

Download
memory/4620-9-0x00007FFCD4B70000-0x00007FFCD5511000-memory.dmp

Filesize
9.6MB

Download
memory/4620-13-0x00007FFCD4B70000-0x00007FFCD5511000-memory.dmp

Filesize
9.6MB

Download