e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c

Analysis

max time kernel
108s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
Size

92KB
MD5

04d1391971c911a6e9e33780fc6fea34
SHA1

f43a1618ffbd8c5cbf550af0697785e2d09c4156
SHA256

e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c
SHA512

65bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9
SSDEEP

1536:veIAxtMMjEJzW2r27usjy3RwrhUc+bEjyuPu6kLaL746F+ZZnvHumdHE:XAxtrYBW2wfjy3RwdZ+E

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2808	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
1788	Wawuaug.exe
4556	Wawuaug.exe
2500	Wawuaug.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3908	1788	WerFault.exe	88

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1524	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
1524	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
1788	Wawuaug.exe
1788	Wawuaug.exe
1524	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
1524	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	Wawuaug.exe
Token: SeDebugPrivilege	1788	Wawuaug.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 4556	1788	Wawuaug.exe	89
PID 1788 wrote to memory of 4556	1788	Wawuaug.exe	89
PID 1788 wrote to memory of 4556	1788	Wawuaug.exe	89
PID 1788 wrote to memory of 2500	1788	Wawuaug.exe	90
PID 1788 wrote to memory of 2500	1788	Wawuaug.exe	90
PID 1788 wrote to memory of 2500	1788	Wawuaug.exe	90
PID 1524 wrote to memory of 2808	1524	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe	93
PID 1524 wrote to memory of 2808	1524	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe	93
PID 1524 wrote to memory of 2808	1524	04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\7934.vbs"
  2⤵
  - Deletes itself
  PID:2808

C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe
"C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe
  "C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe" Win7
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe
  "C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe" Win7
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 432
  2⤵
  - Program crash
  PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1788 -ip 1788
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7934.vbs

Filesize
500B

MD5
782aabe9e7bf63a2be014e3d077420f6

SHA1
8f6119e94496de6ecc7c23649575e6e730f8bde3

SHA256
3ce58f41ca21d6c06a84546edd4e8e4ff57868b7df445569a81518648f3278c8

SHA512
cb8ae4caa417216156353dc375f8f217637277c4a1cc19f0f5d2de1bd1b91bc4433a35f16de2fef3a4fb3ca6928200b051ec5d42afe9a16e700d501ee42d82b6

Download Submit
C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe

Filesize
92KB

MD5
04d1391971c911a6e9e33780fc6fea34

SHA1
f43a1618ffbd8c5cbf550af0697785e2d09c4156

SHA256
e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c

SHA512
65bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9

Download Submit