213feae4318ff89a2f61a0c2863e8d0c58c991103f0e5295ac9fda870fa19b91

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe
Size

285KB
MD5

fb45b1218050bc2d4ff3b78e84a1dcab
SHA1

f82266b02e4e5edeade8cbad2b72f95db00ed3b3
SHA256

213feae4318ff89a2f61a0c2863e8d0c58c991103f0e5295ac9fda870fa19b91
SHA512

9610cd589c1b675a1e354b9ea7b66585c21ce90f6981345299882bf5d8f15f255d80c64971d1b546148f71e73cd4be4fb2434d0422e39d07736a6bc7b6b0c44f
SSDEEP

3072:/VYcdLtlGon6h/kxBsqLOp6YJG+mW4mn6Z2mSPyDaQIRqIJDyEw/Qd9433n1rNdz:CWBRxSp6Ytv4mI2mSK+QIBNyd/Qd9FxG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
4448	fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 4740	4448	fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe	89
PID 4448 wrote to memory of 4740	4448	fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe	89
PID 4448 wrote to memory of 4740	4448	fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" c:\19e892b1-3050-46e4-89bd-d0a5a7717ef4\start.hta
  2⤵
  PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\19e892b1-3050-46e4-89bd-d0a5a7717ef4\InstallerHelper.dll

Filesize
132KB

MD5
04ce97442acb295b9371a9bff3333ab6

SHA1
4ec32c7b219bda70f048b9473c3d413914c49991

SHA256
236dff6227b5dee36f55191eef55e3a45e8be5d622f28ade7afdc3a96295dce2

SHA512
cfc099e09abbcfb4960e095863ebd2ff9b2afbffb0c46617b7a8839ee1621c335feb81f593344bfabc1b596d727587942b062e0cf312dc107c1cb981d454fb5d

Download Submit
\??\c:\19e892b1-3050-46e4-89bd-d0a5a7717ef4\loader.gif

Filesize
1KB

MD5
e88ebd85dd56110ac6ea93fe0922988e

SHA1
684a31d864d33ff736234c41ac4e8d2c7f90d5ae

SHA256
379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb

SHA512
211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Download Submit
\??\c:\19e892b1-3050-46e4-89bd-d0a5a7717ef4\start.hta

Filesize
1KB

MD5
db4ada697fa7a0e215281533d52578e9

SHA1
fb755ea8371edf5065dc53e21eb413603f9eba7f

SHA256
f949fd6ca734830572128b4348dfd039419140c7ef501d80773f71ca3f0ed78c

SHA512
9ba1d2658785dd3c88b4399132f8330dc58872235e19ca9854b0e453d8cc7a58de0c8be84da376a72b5851073f531c95b2c6afa84f43053561ca8e6751d6e2f3

Download Submit