05bbab0386133ba28831074ee7546b2602807c44c22331599bed0a6b72736f25

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe
Size

212KB
MD5

fdde02ffc0c11e37597f16e75443951c
SHA1

a6e186c8e7d3840dbc8400e11601dd3ac2ebd8a2
SHA256

05bbab0386133ba28831074ee7546b2602807c44c22331599bed0a6b72736f25
SHA512

3be9bf4dc19d3ceeac2a3908aadb5f131671ee77d3fc214595c0880e987258432a41b940ded180075fce378a52b2f2905e90fd4ede23715221423cfb7c32d824
SSDEEP

3072:JPFIGJkYW3qeavs02vkk6eslROTBSmAJHrzhIiL+5X/h1osrXLuldnzsGvYm:JOGJkY2Nvkk6dlRCS59P3G5frql+Fm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	28ab10.exe

Executes dropped EXE 1 IoCs

pid	Process
4404	28ab10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4404	4832	fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe	89
PID 4832 wrote to memory of 4404	4832	fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe	89
PID 4832 wrote to memory of 4404	4832	fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe	89
PID 4404 wrote to memory of 4388	4404	28ab10.exe	98
PID 4404 wrote to memory of 4388	4404	28ab10.exe	98
PID 4404 wrote to memory of 4388	4404	28ab10.exe	98

C:\Users\Admin\AppData\Local\Temp\fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\28ab10.exe
  "C:\Users\Admin\AppData\Local\Temp\28ab10.exe" "C:\Users\Admin\AppData\Local\Temp\fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6439.bat" "C:\Users\Admin\AppData\Local\Temp\28ab10.exe""
    3⤵
    PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28ab10.exe

Filesize
208KB

MD5
e8c1ea2e33714a9942bd7bd5105a6c64

SHA1
56858752a3e7b4f846ce49146e676d01d019bc0c

SHA256
dd7dda339fc61d094f1f1f92460695ffb1da3ba40ae7677e09df2f079fa4e8bf

SHA512
a82cbbb887e8e392fa889987dbd0cdbb036b6d6a521a6186323fab4fd1859340f3eb68eefdeca80bdc33940183c1218e5d15e3cf992f4ecfa11204a0235c2e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\6439.bat

Filesize
205B

MD5
af942e21a17f04903c52cb28a9b89542

SHA1
ebcfe47bad384564346db4141d26e3e68f9f984f

SHA256
c62a90b84dac61f74122f6eaa01665155a18b28a68b799a963f8a877194f922d

SHA512
790decec1485e8fc42c3ee09a3e871ee95fdf2bf2e5f15556de0a5b5db2106114d79206acf2dcf3e7c0dbe9df7b1298e0b3f7247a34d9d3bd9f296cc9b61211a

Download Submit