cac44a91e86fcd22bfc16ad13408ba5f8cd4e600c966114fa64f56fa671f876b

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbbdccfe501ed5276b3e276312434514_JaffaCakes118.exe
Size

208KB
MD5

fbbdccfe501ed5276b3e276312434514
SHA1

db821b6af2309c22262088cc38cf5060bbda1f75
SHA256

cac44a91e86fcd22bfc16ad13408ba5f8cd4e600c966114fa64f56fa671f876b
SHA512

c89bdf53a569c77daba5fba5996becdaa09f0d891c8b6bd914f93441adab8c54f09d0dd0421f44d04f97f4210e9164a50d092b003bd4f7710b369b8f54ad915f
SSDEEP

3072:WChJgYMm4xf9cU9KQ2BxA59SPMSOoVn2a:GYMm4xiWKQ2BiCM8

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	fbbdccfe501ed5276b3e276312434514_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4244	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\549c5679\jusched.exe	fbbdccfe501ed5276b3e276312434514_JaffaCakes118.exe
File created	C:\Program Files (x86)\549c5679\549c5679	fbbdccfe501ed5276b3e276312434514_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	fbbdccfe501ed5276b3e276312434514_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 4244	2432	fbbdccfe501ed5276b3e276312434514_JaffaCakes118.exe	88
PID 2432 wrote to memory of 4244	2432	fbbdccfe501ed5276b3e276312434514_JaffaCakes118.exe	88
PID 2432 wrote to memory of 4244	2432	fbbdccfe501ed5276b3e276312434514_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\fbbdccfe501ed5276b3e276312434514_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbbdccfe501ed5276b3e276312434514_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files (x86)\549c5679\jusched.exe
  "C:\Program Files (x86)\549c5679\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\549c5679\549c5679

Filesize
17B

MD5
89931a70501a3362b6823b53523f5a77

SHA1
88c7e199c462ed8cc3af0ba453512b5b1fdcfdb5

SHA256
d30d9a0e64bc9f4a306617f087f30de6d57a5413793ab7bde13a299777a1b254

SHA512
8fa7ab4824ae86f3f47b3718c11f79ef275dd0639396572eaeb1262ad9153ccf43c633a7b292e30c97370436a09f22fbcf817a802015650ffb1f84d2b83483bd

Download Submit
C:\Program Files (x86)\549c5679\jusched.exe

Filesize
208KB

MD5
648f2581cee92d1e6e60770b3fda2640

SHA1
e40913a29c7d1abe0a109cc8269e8b20ee80543e

SHA256
098e2e7ec521b968af9fecab7c6c068a3d826f43cb8e57245d1ad2a96c883224

SHA512
007cae2178816e18ceef1ef19e8c3aa50efcffc7aba8ebb3827b73840c9b0f02e0079b608820cc8a77ae244c9a596ade732c44cf13bfe4fed66a4e05e620ddf9

Download Submit