Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2025, 16:59
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250314-en
Behavioral task
behavioral4
Sample
$PROGRAMFILES/$0/Uninstall.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
cmtowgosvx.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral6
Sample
imex.bat
Resource
win10v2004-20250313-en
General
-
Target
imex.bat
-
Size
100B
-
MD5
662f48a1d7bbabb99de8b51e2465c9b8
-
SHA1
fe31c2868143478f539fba398de93dfe93d2e82a
-
SHA256
28f86e44da62a09ce91f8adec29263a667a50a2520a9134c09f669a6c2ef84c2
-
SHA512
a1b2b8ea9dc6f0a262f81cc80f52b2d2066ae9443c89759c8c1792020d933974e887ba343d861fd214170cd3227290c5da8ccad873e899ee5ca209b997fdbaff
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmtowgosvx.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3196 wrote to memory of 380 3196 cmd.exe 87 PID 3196 wrote to memory of 380 3196 cmd.exe 87 PID 3196 wrote to memory of 380 3196 cmd.exe 87
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\imex.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\cmtowgosvx.exeC:\Users\Admin\AppData\Local\Temp\cmtowgosvx.exe2⤵
- System Location Discovery: System Language Discovery
PID:380
-