60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408

Analysis

max time kernel
94s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe
Size

241KB
MD5

483fc82bc1f416dadd7db16ba5440c6a
SHA1

2b180d03d36aacda5e1791a2d89c2c44ce170f6b
SHA256

60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408
SHA512

93943c4b9a85547f879aae02bcde08ab6f9ad8958e0a350452ac5053254729b0216e68c8869a5ceeb8ae0f9ca495a6095157efa1a3a52510a6632a482a95dc43
SSDEEP

6144:HNeZmycM5oTdt4hdza6a2pAy9HPAPZPcgRIZi:HNll0kw3HYP9cy9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3360	lvymw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4668	3360	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lvymw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3360	4864	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe	85
PID 4864 wrote to memory of 3360	4864	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe	85
PID 4864 wrote to memory of 3360	4864	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe	85
PID 3360 wrote to memory of 5044	3360	lvymw.exe	86
PID 3360 wrote to memory of 5044	3360	lvymw.exe	86
PID 3360 wrote to memory of 5044	3360	lvymw.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\lvymw.exe
  C:\Users\Admin\AppData\Local\Temp\lvymw.exe C:\Users\Admin\AppData\Local\Temp\mslswzz
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\lvymw.exe
    C:\Users\Admin\AppData\Local\Temp\lvymw.exe C:\Users\Admin\AppData\Local\Temp\mslswzz
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 480
    3⤵
    - Program crash
    PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3360 -ip 3360
1⤵
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lvymw.exe

Filesize
64KB

MD5
ddc8d50e346229f2c76c329e53a48068

SHA1
a91202033dd59452603fa0fdbd2b50b1917e48a1

SHA256
23c25521d704cbc1c35aa84cc0d4f9cc7fef48eb118a55a4a4002265836eae2f

SHA512
4dad956526f033f558fa41760b70e989ad0d242941c776a7ea69a916b195cb8e7737b2c36c9662cfc54c51d99eadff09872daf129d0a92c3c38cbe71365a7349

Download Submit
C:\Users\Admin\AppData\Local\Temp\mslswzz

Filesize
5KB

MD5
d90908cd63ad318fc4d73c833a43ab59

SHA1
3953f3c253814bb39f671278ec6cafcb4d9520ed

SHA256
3b9ed624f94eb33f913de44fcd377d1f9ea793efd0c3cc529217c3ce0da3d6ca

SHA512
fb83441cb54cfd73c20e87d80921b03a8f2a9c2ef3b22cacfe7522a9bd56cae9879cfb19e625dc8ff26e95763e04de33cb4b53243c81355e9d282689e0cf85a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1sh9jvwumaf4

Filesize
184KB

MD5
595197dd5ce763cd24751c75b44be8a1

SHA1
4529317e2afc2788617c60c40adcd42e550452e1

SHA256
36dbb14dffd84498a2e624ff58f93d0519c004d24b88a67d4656b2f7367d78e7

SHA512
907d75da916f8cb7886426622e407e6bbf93d27eb2a84d0cb2490ba208e8dcfb67c23dadb382ca87b8d1127bfbb93a916fb4cdb0f4d08397c4d54d14d0ec3309

Download Submit
memory/3360-8-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download