b5bb58f701c074e75c15de0c5bb29a1442f78bfc6c65c857be123395ded830f5

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe
Size

364KB
MD5

0b8e5467079a33c360cfd9177423a012
SHA1

1da837fdbe2121a76209c1021ee074eadc891be8
SHA256

b5bb58f701c074e75c15de0c5bb29a1442f78bfc6c65c857be123395ded830f5
SHA512

88779789cb86fc857e71fb3bfd9dc3c0602a4b798f250a5e89ecea9e131467338a8c0ecf56fa3e396565c1fbdb04a0afed2590edc091589649c02d7d8588f3eb
SSDEEP

1536:uXBYjfC24mFVsIgvo3X4iZpTha5VlA8mG7aoL8U:uX+0mFmIgvo4iZhha5rjaoL8U

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2936	jusched.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\1e9c8200\1e9c8200	0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe
File created	C:\Program Files (x86)\1e9c8200\info_a	0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe
File created	C:\Program Files (x86)\1e9c8200\jusched.exe	0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 2936	3548	0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe	85
PID 3548 wrote to memory of 2936	3548	0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe	85
PID 3548 wrote to memory of 2936	3548	0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b8e5467079a33c360cfd9177423a012_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Program Files (x86)\1e9c8200\jusched.exe
  "C:\Program Files (x86)\1e9c8200\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1e9c8200\1e9c8200

Filesize
17B

MD5
bff3d8f76e182194c4a2abf1aabba9f3

SHA1
07e5b604bb505a800b3e0ac16fee483b70595768

SHA256
6bc8a4f93eaa1b3e7cfa696855bf6a852cf6555d694bc03e337261a27e58246f

SHA512
0c5def3bb01ed166d4135190e131c27be4b6039987e269b6c3fca07677b3c637868397f207df631a098182a6bd3c795e6dd34541f82c5ecd6062441af0af7f50

Download Submit
C:\Program Files (x86)\1e9c8200\info_a

Filesize
12B

MD5
8a39cd25b8ecd631f021a96172d0668b

SHA1
3151b0b32881850e0b3a554707ca60d90deb5e63

SHA256
33707d632ea5ef5a00ab25728d0f5286e55c2306af75f5833c95878b8b2d5d8f

SHA512
54bf0a37f2e64e32965f2467868f874e375bf244e73565294441e37137434521256d42010df2e7f78183ae919980c94a55fd116e0270dcec90b2c6bdebcdec7d

Download Submit
C:\Program Files (x86)\1e9c8200\jusched.exe

Filesize
364KB

MD5
111bf9d7e89803b73016106a84c13601

SHA1
ab8d7b53b1f9a6e1605cfb0e8ca06c438a826bfd

SHA256
f5583e5e714fa3f07f1b5715df40097b98cd571a7090de49f3ce5406636f68d3

SHA512
745c7493b2b8b2224dc6bea301e065978b585be0e7c65b9dd17f6bdfd249fe5aa790cb7c124128a1ee82640872ed5c322ffbcca4351820240c6c4245dddb1660

Download Submit
memory/2936-16-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3548-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3548-15-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download