4fb98c06085a33f197665afb7796951ee13b909aebfd618694ba24271e530a88

Analysis

max time kernel
123s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8557444d716465f01c89307d430153a_JaffaCakes118.exe
Size

1.6MB
MD5

f8557444d716465f01c89307d430153a
SHA1

121e7805b3dcd0b416874b400f2f29c7549096be
SHA256

4fb98c06085a33f197665afb7796951ee13b909aebfd618694ba24271e530a88
SHA512

0ba08cfd957f9245e028588761e5c8de515d71544e30dbafcfca939c0d558e53067b7732697477212155643ef44ecdac84498d99d056c7714b85f4346addcea3
SSDEEP

49152:sZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9E:sGIjR1Oh0Tw

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	f8557444d716465f01c89307d430153a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2268	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1780	f8557444d716465f01c89307d430153a_JaffaCakes118.exe
1780	f8557444d716465f01c89307d430153a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1780	f8557444d716465f01c89307d430153a_JaffaCakes118.exe
1780	f8557444d716465f01c89307d430153a_JaffaCakes118.exe
1780	f8557444d716465f01c89307d430153a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 4960	1780	f8557444d716465f01c89307d430153a_JaffaCakes118.exe	97
PID 1780 wrote to memory of 4960	1780	f8557444d716465f01c89307d430153a_JaffaCakes118.exe	97
PID 1780 wrote to memory of 4960	1780	f8557444d716465f01c89307d430153a_JaffaCakes118.exe	97
PID 4960 wrote to memory of 2268	4960	cmd.exe	99
PID 4960 wrote to memory of 2268	4960	cmd.exe	99
PID 4960 wrote to memory of 2268	4960	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\f8557444d716465f01c89307d430153a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8557444d716465f01c89307d430153a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\12876.bat" "C:\Users\Admin\AppData\Local\Temp\6D59FBBE67ED4426B1B499E2581E3D55\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12876.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D59FBBE67ED4426B1B499E2581E3D55\6D59FBBE67ED4426B1B499E2581E3D55_LogFile.txt

Filesize
2KB

MD5
f82b55d1eac1bfe4ded6dafd32428bc1

SHA1
07d7dff6275a3d29e2aa940c3c3b40621a0ed43c

SHA256
f5803c4f3a61a3734ab18bdaba38a3514fef245e492c4d2a44f2107583feb792

SHA512
8abc189302887b676026f7eaac0d3fa049cc46286ef64047b45aefb95cd6fdec40ec6c7076b3420d64341f88eb2107efd4310ca80bd901710410cfd9d6feb8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D59FBBE67ED4426B1B499E2581E3D55\6D59FBBE67ED4426B1B499E2581E3D55_LogFile.txt

Filesize
10KB

MD5
6ae77dc243cfc30ab436e6cc5f1ec1e1

SHA1
608f1e6caed040495f35fcc163956bd7900e7bca

SHA256
b62b24ffecdde1ec6a89b67cb3651121b230e487c4f8a3161f55057b84792788

SHA512
4a1f16958624a24f9aa45cad8cb0ab7eb58275996c3f66f139bf8f5b6477864b7980bca620b83b0349b23a9a0ab476cb7b7731adc920e0d39fa9c3077316caad

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D59FBBE67ED4426B1B499E2581E3D55\6D59FB~1.TXT

Filesize
103KB

MD5
6628afdc96034290384e458ced74dbb8

SHA1
b77d808650b5f6bd05ad8677a687c9dcc2f76495

SHA256
da628dc1ae61779de385d8934d512353aaecfe35d6b8f7ae991d20135a64372d

SHA512
e885d36bb5cd560e16c8a7385295bb0c053e0c87f5e7be4023b4e28e2f4ea3d6d8c141188ac792a25ea41c58ded763a27644f5e9712d53b59d77dc055dfc35ca

Download Submit
memory/1780-63-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download
memory/1780-180-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download