7d63078c1cb2d9a0488f9cbfd2cdb651863a4ee06014eab5a54b4a6f44fbabcb

Analysis

max time kernel
67s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 15:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

058c8fe894dbf170107e11782123c077_JaffaCakes118.exe
Size

1.6MB
MD5

058c8fe894dbf170107e11782123c077
SHA1

4d1231a383e929f1b604595d873124b9be046b74
SHA256

7d63078c1cb2d9a0488f9cbfd2cdb651863a4ee06014eab5a54b4a6f44fbabcb
SHA512

2405c3695c9df4606e4f78d58ef7a82a3d1fa63c03cb7cbf3f95a20b8e68fd2eb51282d1b558491f005d2ef53204152d30cfa119f329b0fc22895678f8b316cf
SSDEEP

49152:/Zgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9N:/GIjR1Oh0Tp

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	058c8fe894dbf170107e11782123c077_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4124	058c8fe894dbf170107e11782123c077_JaffaCakes118.exe
4124	058c8fe894dbf170107e11782123c077_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4124	058c8fe894dbf170107e11782123c077_JaffaCakes118.exe
4124	058c8fe894dbf170107e11782123c077_JaffaCakes118.exe
4124	058c8fe894dbf170107e11782123c077_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 1000	4124	058c8fe894dbf170107e11782123c077_JaffaCakes118.exe	89
PID 4124 wrote to memory of 1000	4124	058c8fe894dbf170107e11782123c077_JaffaCakes118.exe	89
PID 4124 wrote to memory of 1000	4124	058c8fe894dbf170107e11782123c077_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\058c8fe894dbf170107e11782123c077_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\058c8fe894dbf170107e11782123c077_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1569.bat" "C:\Users\Admin\AppData\Local\Temp\3A413A8F9CCA4C978CBE57FB75EDE159\""
  2⤵
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1569.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A413A8F9CCA4C978CBE57FB75EDE159\3A413A8F9CCA4C978CBE57FB75EDE159_LogFile.txt

Filesize
1KB

MD5
8c183cf92d12cf8b8ec832f30578d5b0

SHA1
86bda1ea0e32d23c03d4e55ea5ec48de7316db72

SHA256
51f6f132acbb979ec834a8cc091bb580d2188ca016c1005e2675fa139023abe6

SHA512
60be9e425bf40ca9e0842f823a6381c562c615e20e9432772124feea22ce9d7c384129dcc011150228c2f99f2261aff9397dc7e7f4cde425229c355ebed0225d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A413A8F9CCA4C978CBE57FB75EDE159\3A413A8F9CCA4C978CBE57FB75EDE159_LogFile.txt

Filesize
9KB

MD5
6cee4ab38cfdc6a9e0748522b9bce766

SHA1
240808ddcad377f62d4eecfc8f2ff1d1f52b327c

SHA256
bab97a204d09c835582451503b5da23a3573e24965303da1d7d21f940e612e6e

SHA512
c2c0ccf499add4f71c54cc3299fbedbbb83ca81b7d3c2684452ff0644d41dd03cfdb234b6a80d2086af9eb9287d432708176849160d53701d0b38c33f167a95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A413A8F9CCA4C978CBE57FB75EDE159\3A413A~1.TXT

Filesize
115KB

MD5
10e946bc26353f76008ac5267a336ea0

SHA1
3b107889fd9dd056bb74406fc6a0425a93d92aaf

SHA256
f16e73d3a2977a2827142b9e34ead9372f478b314f75d6b243c98f8946f50470

SHA512
dee781d19c2821c4c067a89ac274f5423652b99d244a8e0baae0a58756b7df10d964ab113b73055e9555694ca00ff58cb63fb2ef4950b1296dc2c1c24b2d3dbe

Download Submit
memory/4124-63-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/4124-156-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download