927d087ff31bd7ba107d6b26be5c4e1b030122372f50a514644da9bb3c7ab9b8

Analysis

max time kernel
140s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 17:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe
Size

3.0MB
MD5

fadc333491da67dbfefa0b22bb715d6d
SHA1

9d4a3f62287c91bb7060d36bfadd3d2a20039c20
SHA256

927d087ff31bd7ba107d6b26be5c4e1b030122372f50a514644da9bb3c7ab9b8
SHA512

a67e14be18f9f83d58caaa5537c1f77fff4613343de59ad9570069489355d088f7a26439589ca6bf0afabce2444e5cc6572f122d638c5c6154c8c0f44b567108
SSDEEP

49152:fMfz6K8py06wdvJPn61+dy5178aL9zVsX8UJj:EfKdHNXaLoXDj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	Cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4644	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 4160	1284	fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe	84
PID 1284 wrote to memory of 4160	1284	fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe	84
PID 1284 wrote to memory of 4160	1284	fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe	84
PID 4160 wrote to memory of 4644	4160	Cscript.exe	85
PID 4160 wrote to memory of 4644	4160	Cscript.exe	85
PID 4160 wrote to memory of 4644	4160	Cscript.exe	85
PID 1284 wrote to memory of 4640	1284	fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe	87
PID 1284 wrote to memory of 4640	1284	fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe	87
PID 1284 wrote to memory of 4640	1284	fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe	87
PID 1284 wrote to memory of 2908	1284	fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe	89
PID 1284 wrote to memory of 2908	1284	fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe	89
PID 1284 wrote to memory of 2908	1284	fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fadc333491da67dbfefa0b22bb715d6d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\Cscript.exe
  Cscript.exe C:\Users\Admin\AppData\Local\Temp\start.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /SC MINUTE /MO 180 /TN Update /TR "'C:\Users\Admin\AppData\Local\Microsoft\Update\Update.vbs'"
    3⤵
    - Creates scheduled task(s)
    PID:4644
- C:\Windows\SysWOW64\Cscript.exe
  Cscript.exe C:\Users\Admin\AppData\Local\Temp\create.vbs
  2⤵
  PID:4640
- C:\Windows\SysWOW64\Cscript.exe
  Cscript.exe C:\Users\Admin\AppData\Local\Temp\Languages\Sync\install.vbs
  2⤵
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\create.vbs

Filesize
460B

MD5
e9c4095bc2c11f0e9e4add78a9568f32

SHA1
1bf2b5e12edcade4fc0ed49fd7f9c2bf5ca7cbb1

SHA256
e4816b6843da5069562c9cf61c3386b9afe639a8d3f9fcc18560563ba62c55ef

SHA512
5a3fafa90ee5354e0cfe194762305670a27523dc01a2666646284acd8585a7e755fc5298f7fdf4de495adb4fb11c44084b2db26f180ef62841bb801dac300c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.vbs

Filesize
167B

MD5
cea895bb95c1a93be74d93135f97b63f

SHA1
b5bb168cfa9febaeeb9c8d326960f486af186b56

SHA256
467115f98316a9cd8e342cc6bb173f8aae316ed4d9d8b5e597cb8806a98b4f95

SHA512
7f0ce91871d43fd1eb617cf1677ce547292885a314eea69da0bd4402a32829d0e786cf0049ba062a386d957218dab8c8e8e05e7cba9ca8fb7709546d6dc96087

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads