53f18343a53a4d35670199ab1c9b66eadca4788c128d58e3fa6a90f210f1eebd

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe
Size

10KB
MD5

07f1291a3ae58be9d8c696f14eb56af8
SHA1

f87983edd771334dcfa2cbb071595142a2568909
SHA256

53f18343a53a4d35670199ab1c9b66eadca4788c128d58e3fa6a90f210f1eebd
SHA512

bdf5ba1429cdef0c5534e8fb76dda4a69f7cb0514e17e6841f2674fb03ed0cee817c186f19c28df2e9e63c587600d88eb08f44c83bfdca266be6b066f4cb6271
SSDEEP

192:ibrETxL4X4f0y4PJuCIa0K8ocRbHzbaAU/uCdCIP:iXET14X4f0y4ER1ocRbvaAUu2P

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4828	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 4828	3084	07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe	83
PID 3084 wrote to memory of 4828	3084	07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe	83
PID 3084 wrote to memory of 4828	3084	07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
11KB

MD5
185b057f791ff0f9f8798084fd2588f5

SHA1
e6f75e036f3aeebf817c34b2ba268a16708f4122

SHA256
25888e6a15c6137fc0eacce0eb3e7b6166a6ee5c0c2441bbdd10f5a79857fc2c

SHA512
338e1b3ed9ca1fefd78ec039ad4901b819c93fbf73ea82856b65169f8a7400fddef002cd0e3f98db554bebfda88f9c78cd24a433d422a0bd463f8f60b024cf61

Download Submit