8f45c3c0135d4723b9e5c27e9bc7bc3b9fd294918e23283a016e09a36254be02

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edc0aff2c3dd34ae64562b7baec359b2_JaffaCakes118.exe
Size

514KB
MD5

edc0aff2c3dd34ae64562b7baec359b2
SHA1

b5ed8c88ac80234255622934f8f1e41b4fe94563
SHA256

8f45c3c0135d4723b9e5c27e9bc7bc3b9fd294918e23283a016e09a36254be02
SHA512

dc6927501ea3a5389a68d446154215c13c58c3e46b54802e31b86b97e88be5a6d67cda04300452f9271427991ba425dd7a5c58b28c73a7af92cdcb4c26981d5f
SSDEEP

12288:4EGdBIh+djo8ZMjKV4x+rWNS6y+lTri6CwiIGCJDrnHBuMXHfg+:4EGvJjrZ/Vs+rWNlr6wiIJJnhBXY+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	edc0aff2c3dd34ae64562b7baec359b2_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2070234.lnk	lms.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	330434.exe
3032	lms.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	lms.exe
3032	lms.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 5 IoCs

installer

resource	yara_rule
behavioral2/files/0x000900000002325c-4.dat	nsis_installer_2
behavioral2/files/0x000900000002325e-15.dat	nsis_installer_1
behavioral2/files/0x000900000002325e-15.dat	nsis_installer_2
behavioral2/files/0x0007000000023261-25.dat	nsis_installer_1
behavioral2/files/0x0007000000023261-25.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2696	5088	edc0aff2c3dd34ae64562b7baec359b2_JaffaCakes118.exe	92
PID 5088 wrote to memory of 2696	5088	edc0aff2c3dd34ae64562b7baec359b2_JaffaCakes118.exe	92
PID 5088 wrote to memory of 2696	5088	edc0aff2c3dd34ae64562b7baec359b2_JaffaCakes118.exe	92
PID 2696 wrote to memory of 3032	2696	330434.exe	93
PID 2696 wrote to memory of 3032	2696	330434.exe	93
PID 2696 wrote to memory of 3032	2696	330434.exe	93

C:\Users\Admin\AppData\Local\Temp\edc0aff2c3dd34ae64562b7baec359b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edc0aff2c3dd34ae64562b7baec359b2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\330434.exe
  "C:\Users\Admin\AppData\Local\Temp\330434.exe" /330434.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\lms.exe
    "C:\Users\Admin\AppData\Local\Temp\lms.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3592 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\330434.exe

Filesize
526KB

MD5
fa5736a091cc3befc086ae85e1959ea1

SHA1
0950a85022984ec22a059592aef31559ebfa8a36

SHA256
80669099cadbb069c70af162d1ab97099621b04decefa68828345cd74af5ffcc

SHA512
27c46efdf93dd71ae8af16fff659fa6ef2875f0c2d7c96390c3d32747d51e300ae1cc4307d0c5b6ab3dd1f0a3a58a91685fd8c8dfa479f9fda1796543785d535

Download Submit
C:\Users\Admin\AppData\Local\Temp\a32pasop.exe

Filesize
169KB

MD5
a277e0d7f03f5950e111f0af54250d49

SHA1
6ae61d32a4c1a1f5150ab4861a0fbb8d7beb5a6c

SHA256
a81d3331988d3e7d35f60ddc8bad5f433058405336baee4e86bbafbd9b41963c

SHA512
b7d61f855d07c03d9d0cbfdf3ae37ea2d354123daa4691e23a28bf85e0929229f3bf55d6d78c26b1ee8e205c49a8babd267cb1768f335f5f6531a0f85be7c275

Download Submit
C:\Users\Admin\AppData\Local\Temp\lms.exe

Filesize
170KB

MD5
cc5f8c7447aea1299da4cfebff516a50

SHA1
b9b5f0bb71812fb0fb1c50ed0698e73192ad2e12

SHA256
504a3f093cd81f9482a8466edf24bed71692dd7b9251c87175546c50af54f058

SHA512
f8517d0e2dea5c15ef4877bcb27638bdfb20f19ccff91a80bce6d1ecdfb60987b7dcf0001364f0ce4d01160822251e3bfd12bffd2a1c93a8b5d53f9ee547b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2873.tmp\SimpleFC.dll

Filesize
175KB

MD5
2ecb90bdf3e7ccc4e4478e3efa712588

SHA1
bbdb2f00b5da20aa1340632d29126f41787d14e6

SHA256
685844c38d8521f281986454a57335202b8f7f802f5499a3511f9b0d9b82046b

SHA512
f20c889803299d5ecfe030c5bab1da51968e9bc3c10b366560df307ae3067a1b0b557ea66bcc014715baab33928a98c629a4aab1d5acdb15b92a33d4634d43bc

Download Submit
memory/3032-22-0x0000000002840000-0x0000000002870000-memory.dmp

Filesize
192KB

Download