b4ae582fb61848d83e1e55dcc4925ea7788dba0c940c5a21157de6566342f06a

Analysis

max time kernel
141s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
Size

762KB
MD5

fa5f8bef489cf87404077b8437f700fa
SHA1

a5412255ebc637165e2d7528dfc56350324769cb
SHA256

b4ae582fb61848d83e1e55dcc4925ea7788dba0c940c5a21157de6566342f06a
SHA512

90f4ce55fab0369d3d5b43888d6ddf2c0f00408dcfe52476b045510fbd0f12400170b0260611086e826464a17d9fbe06679e0a47203af62152f13191feaff0a3
SSDEEP

12288:qtobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnR:qtDltItNW7pjDlpt5XY/2TkXKza/29V

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4344	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3688	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4344	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
4344	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4344	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
4344	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
4344	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 4344	1432	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	91
PID 1432 wrote to memory of 4344	1432	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	91
PID 1432 wrote to memory of 4344	1432	fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	91
PID 4344 wrote to memory of 3752	4344	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	102
PID 4344 wrote to memory of 3752	4344	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	102
PID 4344 wrote to memory of 3752	4344	internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe	102
PID 3752 wrote to memory of 3688	3752	cmd.exe	104
PID 3752 wrote to memory of 3688	3752	cmd.exe	104
PID 3752 wrote to memory of 3688	3752	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Local\Temp\nsb6241.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsb6241.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsb6241.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsb6241.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\13689.bat" "C:\Users\Admin\AppData\Local\Temp\9DF2E1EFAC044F249B9E8EC658D0ACFB\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\$IHGTLG3

Filesize
96B

MD5
f20e0fdebbe1471ae9ff177cd3f157c1

SHA1
6c1d585d044d18ee54c547716b18368573ab5abd

SHA256
7a0eaf2d67fd83e1639b0bf9472c177f8caa17dd4a224519d9eeea68e4f04a23

SHA512
609f8fccdc9d8459b330a94e414dac9b03199b2f771eea5afbe1481e07876e40df00cc20cd92a4873b6779489db05368f4b2cc53c1b3edd985f8c05b73e5ff2a

Download Submit
C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\$IX2YICR

Filesize
98B

MD5
84431be337535e17f7cac3bf75b72363

SHA1
e5ff35730f05828bfa1757061cb555662ebbcb0d

SHA256
0894c58bc0f3d911842e94c4c332e2ca4e8251ba56dd294d5c62f00d008bf59d

SHA512
45042702669212e5492242bd658a9ede0b4ec8d73668d243fdc3e54b3ce3353d3ab1f8aa07c3e4a4f9f041b2857d484ba5489f33df4fb15fecc3f29308fcc812

Download Submit
C:\Users\Admin\AppData\Local\Temp\13689.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DF2E1EFAC044F249B9E8EC658D0ACFB\9DF2E1EFAC044F249B9E8EC658D0ACFB_LogFile.txt

Filesize
2KB

MD5
f9baae8bc16af0b54f818bf2b82f83a7

SHA1
7f170ff0e373f90f529cbf3c31844783604bbd43

SHA256
5715375af85fc2f7cc9ac9fe65bc4d152c108d8a5132f0ff49cc2f2f0ae4c1cb

SHA512
b0334380f0dfeac6c4c7bffeb0ab09ee6876b6f96f15fdc3483f3356e127408a6b04e97309a17982e48088c10d5cd6217afb3aede786ff827de19f3c928f422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DF2E1EFAC044F249B9E8EC658D0ACFB\9DF2E1EFAC044F249B9E8EC658D0ACFB_LogFile.txt

Filesize
3KB

MD5
17215e839756c26602e32d3fdb836f79

SHA1
3cd59a089a9d1a5b2619fb2d192550de97a2b0da

SHA256
1a5f697025f321d5aada186addf109ba40dc71d45a3eff4ef4ee7be8bd932509

SHA512
2f8337be4ac8e563a74e77725af7cc58cb622190bfd366a84c1950c2bd21135c955e4a1b41bddb2ada5a584423448f95fe0ccdaf90c61f7aea3dfdd5d09dc021

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DF2E1EFAC044F249B9E8EC658D0ACFB\9DF2E1EFAC044F249B9E8EC658D0ACFB_LogFile.txt

Filesize
5KB

MD5
c83c9db021582b621edd98022e6453e8

SHA1
6c721010c3a0ea59bcd6dc7f517bbe2e0e017b96

SHA256
d805bf8a9afd3197df342672895ab74e3d69fffd721152f8b1e3ec9e47388d09

SHA512
0022e4665c6cc38cc74b06fd21237232ded72c3dec2dac50700599b1f28cc50d3f9ebfedfd2e47d9612f0559221d54ab97d2467f26cb39aa76812c9153c596c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DF2E1EFAC044F249B9E8EC658D0ACFB\9DF2E1~1.TXT

Filesize
26KB

MD5
ddcb6719a4462b295b75f179f69494cc

SHA1
013355b5b62c626b45df0e18b241e7c7d7fd366e

SHA256
21034e9c32ed4afb0bee620c43aaf94f4b0b8c146c26296f36d7ab9e69966689

SHA512
248c6c893ba6c1ded3ea7fe60ed7a12fa94aff7bd6ac3fc7a1f880d6f3f6dfbfe466ba1ed7086a888cd66aeb1b4ef9712c17fa0828a0ec6df079c0aa6e28529e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6241.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6241.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6241.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
memory/1432-45-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-77-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/4344-130-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download