1b5723422fd107ecac103455ec79c881d4785970d33cc375f8de146267126ab8

Analysis

max time kernel
92s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
Size

13KB
MD5

e7853ebec5f438d537e1f0d59daef2b7
SHA1

a3630f7c39503e1b3c7bf6393af6dffccd7b9782
SHA256

1b5723422fd107ecac103455ec79c881d4785970d33cc375f8de146267126ab8
SHA512

79811c6e6fc74e71f26d67eb221ee39ee86f7c563fcfc9d56f2d5847b9b8df02eb60316cd484d9368b1c8c4374c18f9c2dd8dd037ab6a923595a481d0d8f3534
SSDEEP

384:s5wfWyQB/pbXkaegjYWBX12fnaNJawcudoD7UM:AwfqXkaLYWBX12fanbcuyD7U

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 2 IoCs

pid	Process
212	b2e.exe
3056	win32runtime.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2432-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/2432-8-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 212	2432	e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe	85
PID 2432 wrote to memory of 212	2432	e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe	85
PID 2432 wrote to memory of 212	2432	e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe	85
PID 212 wrote to memory of 4228	212	b2e.exe	86
PID 212 wrote to memory of 4228	212	b2e.exe	86
PID 212 wrote to memory of 4228	212	b2e.exe	86
PID 4228 wrote to memory of 3056	4228	cmd.exe	89
PID 4228 wrote to memory of 3056	4228	cmd.exe	89
PID 4228 wrote to memory of 3056	4228	cmd.exe	89
PID 212 wrote to memory of 1352	212	b2e.exe	90
PID 212 wrote to memory of 1352	212	b2e.exe	90
PID 212 wrote to memory of 1352	212	b2e.exe	90

C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\5043.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5043.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5043.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\516C.tmp\batfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\win32runtime.exe
      win32runtime.exe
      4⤵
      Executes dropped EXE
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5043.tmp\b2e.exe

Filesize
17KB

MD5
746c4b919f32f705067adccc46748ed7

SHA1
26e228a986bdfe7219d8354b6f9cbc4c3637dcfe

SHA256
5fcf4a4980b50f43a06ee1be36a01f2d922664beebd20bd5a2ef1a6a6b31b4c4

SHA512
ec3d48b5e04d420a6e6bcab37d243dbd1c935d97f6cb6c383deeb19e27d820f1884ea3876937e6bffa03a298f71527f601288cdbe2fd5c2b0d29bd4d139fa0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\516C.tmp\batfile.bat

Filesize
172B

MD5
293d7e6df8e49c8596f0720d08be56c2

SHA1
acfd19c1669dd9ca84f86fda1cbce80b46e4ecfd

SHA256
8b562d60078c5408336402b1c4a4150b0b5a9cabaad7db399d9870b94199a1bb

SHA512
771c36a25bb25e37445b97f360362b2db4168fb292ff80376330ff152c6d242504592bcef3f58314fe71798cfdc14848ab8d68b6d5b08fad7235cd890fd689fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
86fe4938d1986696bca9d868d67f1c08

SHA1
41f482473250996cd98b77ca41e310c9b78917c5

SHA256
20133e2e0a8ed87775d546c07bfee1d396db3244576d5137c4848b9b14efe1d7

SHA512
150f49b0a328e84f097a8406a5b711a6f8dd10295e79b33ac899bbe36e052082cad6f38b018b2f9e1a78b9ff83fe5ce16d9cb6c6db77c68310c885d958c038f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\win32runtime.exe

Filesize
9KB

MD5
92f601d63e34b5938bbcb5e8ecb399c3

SHA1
e405c007d698c63e8abe9d51305e1daba978728f

SHA256
c4bd442484b223fc11df6861efbe64993042c9b9381fdb3d42e73cbbc0ef9d69

SHA512
76cd255c7ce5c846f418be340e9c1bf762ac455b25d9de072bb28ec21061456d07a13e2e504f97242d913df3fa4f735fa3366de4b50938ba65a68a7eda3c4ddd

Download Submit
memory/212-10-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/212-28-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2432-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2432-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download