7c8cde93481f17cfbfcbb9436e0b9e49cdeb9dfc5adc4d713853888dfd7137de

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcaade57412a2d2a596f8020c9ded9eb_JaffaCakes118.exe
Size

33KB
MD5

fcaade57412a2d2a596f8020c9ded9eb
SHA1

501ed4f974b859f0a2e9a7e56a0517c18824a29d
SHA256

7c8cde93481f17cfbfcbb9436e0b9e49cdeb9dfc5adc4d713853888dfd7137de
SHA512

17573889341a557b42488419e8d41689381fd031773a0c5387542825f4d760213c4c8fe206813cefc14b5fa76cfa49b333e0051d6e162c75588bedcdbf93e7e5
SSDEEP

384:Dw5+1h1UYii+lNppElKelRgr8I4GSFdVp8NAbifwpIgX+FW3el7xI:2+1hS7i+lbpElBqMB3+I/qWQ7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	fcaade57412a2d2a596f8020c9ded9eb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 1 IoCs

pid	Process
1404	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
792	schtasks.exe
3052	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4972	4544	fcaade57412a2d2a596f8020c9ded9eb_JaffaCakes118.exe	85
PID 4544 wrote to memory of 4972	4544	fcaade57412a2d2a596f8020c9ded9eb_JaffaCakes118.exe	85
PID 4544 wrote to memory of 4972	4544	fcaade57412a2d2a596f8020c9ded9eb_JaffaCakes118.exe	85
PID 4972 wrote to memory of 792	4972	cmd.exe	88
PID 4972 wrote to memory of 792	4972	cmd.exe	88
PID 4972 wrote to memory of 792	4972	cmd.exe	88
PID 1404 wrote to memory of 3004	1404	service.exe	103
PID 1404 wrote to memory of 3004	1404	service.exe	103
PID 1404 wrote to memory of 3004	1404	service.exe	103
PID 3004 wrote to memory of 3052	3004	cmd.exe	105
PID 3004 wrote to memory of 3052	3004	cmd.exe	105
PID 3004 wrote to memory of 3052	3004	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\fcaade57412a2d2a596f8020c9ded9eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcaade57412a2d2a596f8020c9ded9eb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %TEMP%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Local\Temp\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:792

C:\Users\Admin\AppData\Local\Temp\service.exe
C:\Users\Admin\AppData\Local\Temp\service.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %TEMP%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Local\Temp\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\service.exe

Filesize
33KB

MD5
fcaade57412a2d2a596f8020c9ded9eb

SHA1
501ed4f974b859f0a2e9a7e56a0517c18824a29d

SHA256
7c8cde93481f17cfbfcbb9436e0b9e49cdeb9dfc5adc4d713853888dfd7137de

SHA512
17573889341a557b42488419e8d41689381fd031773a0c5387542825f4d760213c4c8fe206813cefc14b5fa76cfa49b333e0051d6e162c75588bedcdbf93e7e5

Download Submit
memory/1404-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4544-1-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads