044008d32b4212fe4c72a5a481dc492838bda8cd648df4e0e3a5ff14cb37910e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe
Size

30KB
MD5

0cdcf9dbfc333ad250d68f77c7469da7
SHA1

e4a984e1908dbd7d81c046eada64d5b8de4523e5
SHA256

044008d32b4212fe4c72a5a481dc492838bda8cd648df4e0e3a5ff14cb37910e
SHA512

96a2b9250e9186752f9cf06a46c68d78c8c022b451bf6f01ed965c6f7e9435f899ff8ee1180d5e680e0c7a1622b5e4f4ca250f5f80004549397159fe06879bd7
SSDEEP

384:Y9Icz3kBWTHdGav99999999yi9wKKCMfxrZYkdzYHQ+GBgqPKmco:YRDzv99999999yiuKKCMfxrZY2+GmgCo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4616	hhcbrnaff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 4616	864	0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe	87
PID 864 wrote to memory of 4616	864	0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe	87
PID 864 wrote to memory of 4616	864	0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
  "C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
  2⤵
  - Executes dropped EXE
  PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
30KB

MD5
d05917c45e352e92ee5156196dbbc99c

SHA1
73353561ec3dc7a743f70fdf9faec08924370a1e

SHA256
2089d21175d065477c5d6fefeb206d72bab70aec043e9ac81786a91b17ef5d8b

SHA512
13bc391e04c2821f9fefe460f1150dde6c81e9f87386bf26abc6e5b1cd90b4b3b95f5ebe7be5f67c16a643ca6a61c822450d4503db19c45e92fa97e51b063eb3

Download Submit
memory/864-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/864-1-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/864-2-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/864-4-0x0000000002530000-0x0000000002930000-memory.dmp

Filesize
4.0MB

Download
memory/864-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4616-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4616-15-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download