187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe
Size

265KB
MD5

a0a1f5ff78c714b094a5fb386e02a7a3
SHA1

10fd01e713a5b96d19fd636e646f231bdb059bf1
SHA256

187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f
SHA512

6db4734f3b1f13f4ad87dd3b604a8c6b37698e7b788604d53fd42a3cf0af9155c96f54ce5d2651ba2f905a385eddf0c57284bda0078bba4ad5f71adde9e05fe2
SSDEEP

6144:xNeZBEmUT5ohIP1DT1SDLiXoina7ZnkOnIhB:xN+BI5yWHOiXlKkHB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1688	xscfbjx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xscfbjx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1688	5044	JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe	83
PID 5044 wrote to memory of 1688	5044	JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe	83
PID 5044 wrote to memory of 1688	5044	JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe
  "C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ryaxdj.tz

Filesize
4KB

MD5
58661627bbc5a0309c8c80c5886b2c78

SHA1
74a8ce5fa8a70b5493ede45a71df09bfe05d50b4

SHA256
5332de813671b1190f3d39ab8e2a0342823563c9626137015e970e832fa7bc98

SHA512
f515c00e50366c39a80b3097b1d197bf3f8cd426c5c6699e70ce3e77471f91ffc93540188afd9d25e088f13a0e4bd07cedf9ead39d79a34942ec785d9a1a4c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkyytyjpxe.df

Filesize
185KB

MD5
2045e2fba3e4e549f31ada7008b2af16

SHA1
f97571e97a60f39be18af949c0971ccaaa88ef2e

SHA256
c6b1b5674d75f753f483c25c44eb2c90e0a348372cf4ebcf5fb2cb57304bc239

SHA512
b93ac0f34b23b809ff146cf42cb2b04a761ffaf3b48f3dcd45e1fc93ea5cf2bd46dd69d180e61a2c59742637b6079b32c5790ddfd100c0cb33854542a88251ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe

Filesize
74KB

MD5
08b101029a510d1467056305f8bda101

SHA1
938d534e3584b132ece92f01e0089304b9587803

SHA256
3d897c1632a6234082cafef209af7ddb9f91a0af33b03e6d004e153a54d622c0

SHA512
631cc7c7a08b9492661983200ecc9b96c2d958d756808ed8b5b431a1a29ec92d360866c41c5d8307a3d185bcdedb4e66d661ec812d47d1ae057013a8cbc0ccbd

Download Submit
memory/1688-8-0x0000000000F60000-0x0000000000F62000-memory.dmp

Filesize
8KB

Download