6d73ca68461ac780619b6047c3705d4f05435b5ed4c03d91a9f2093c647bedb5

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f14973ca3b13c9aa05c22f79e79fbd69_JaffaCakes118.exe
Size

28KB
MD5

f14973ca3b13c9aa05c22f79e79fbd69
SHA1

9a25334c5c8429ded2befa9bedf0f7936eda428a
SHA256

6d73ca68461ac780619b6047c3705d4f05435b5ed4c03d91a9f2093c647bedb5
SHA512

6a0bad370a8773184c3e6c966df22cd175e271775bd824b8f82f445d88a30c250440d7377d0cc94589aa9595aef6c4343b5056724577ee71df42506ae3360737
SSDEEP

768:RHgKGi+WLHxGRP6tQ7iXJsTppUg733ig0Gxkfl:ljD+WLHAl662+4BOx2

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	f14973ca3b13c9aa05c22f79e79fbd69_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/716-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/716-3-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 3912	716	f14973ca3b13c9aa05c22f79e79fbd69_JaffaCakes118.exe	90
PID 716 wrote to memory of 3912	716	f14973ca3b13c9aa05c22f79e79fbd69_JaffaCakes118.exe	90
PID 716 wrote to memory of 3912	716	f14973ca3b13c9aa05c22f79e79fbd69_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\f14973ca3b13c9aa05c22f79e79fbd69_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f14973ca3b13c9aa05c22f79e79fbd69_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
238B

MD5
c1aa6a84c1420319c47d46167e3591dc

SHA1
2bfe9a86206883a5482baba6149abc98734fbd28

SHA256
c65354e6732116f7cb5c2843aed9d924816ef6bf367f41a33a1681f438d3c351

SHA512
19523673402ae5fc54fcb910a06868aa7bea131d6512f44c9eef7c9e10b4ff65f7024b2e44a7374e50a5c33c31ded5a4b7e64ff94e9b76c39ebd403170ae2e82

Download Submit
memory/716-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/716-1-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/716-3-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download