880a9175ad477119a0a20c399f77f6585a5e48ac56ce528d652d350e3411c624

Analysis

max time kernel
120s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe
Size

389KB
MD5

f8654ec820d417bc9d1083ad22c90041
SHA1

ed4b14a0a55f97fa937b8f8b8618e99e52d953d3
SHA256

880a9175ad477119a0a20c399f77f6585a5e48ac56ce528d652d350e3411c624
SHA512

c6875b0d723e6188a1481007f756823fefa2b8e8f3a54f8870f74aca80c903df9a9973614d89b7d7796fed6921e6a064e6d2b4bab432fff265b210d0f6f2befc
SSDEEP

12288:usQO/b3k/ufkK5UcHS7hC98U7CJTZMpTbpM56Y:usF/bUuDmcHS3UrvpM5P

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1184	qdbijh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnhec = "\"c:\\windows\\skb\\qdbijh.exe\""	f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\skb\qdbijh.exe	f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe
File created	C:\Windows\e2068e6b.log	f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4920	f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe
4920	f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4920	f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe
1184	qdbijh.exe
1184	qdbijh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1184	4920	f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe	93
PID 4920 wrote to memory of 1184	4920	f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe	93
PID 4920 wrote to memory of 1184	4920	f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8654ec820d417bc9d1083ad22c90041_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920
- C:\windows\skb\qdbijh.exe
  "C:\windows\skb\qdbijh.exe" /i
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SKB\qdbijh.exe

Filesize
389KB

MD5
f8654ec820d417bc9d1083ad22c90041

SHA1
ed4b14a0a55f97fa937b8f8b8618e99e52d953d3

SHA256
880a9175ad477119a0a20c399f77f6585a5e48ac56ce528d652d350e3411c624

SHA512
c6875b0d723e6188a1481007f756823fefa2b8e8f3a54f8870f74aca80c903df9a9973614d89b7d7796fed6921e6a064e6d2b4bab432fff265b210d0f6f2befc

Download Submit
C:\Windows\e2068e6b.log

Filesize
96B

MD5
d2964f99eb4acb7787cc39a4e429f89c

SHA1
a4f139105bd2ae12fc778222f47ea19bc020ead9

SHA256
5072349484e31ce3916230bf788f1549e35b764dd043bd3ea5d72f90003ac2c4

SHA512
b8804db61dbcb096e33c807eaafdeb09499794cad6c261ea15d9b253e1af53c2af3543051498f367a7dbf9cad1f11c9dee351b74464e6b0aa10be370655d6a30

Download Submit
memory/1184-23-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1184-25-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1184-27-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4920-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4920-1-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4920-4-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4920-31-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download