e2756b61810fe92bd595f2cf3026d995f546fba651dcf033cb95cb33c7f6883a

Analysis

max time kernel
135s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

113bced402c29231367d17be7f01784f_JaffaCakes118.exe
Size

9KB
MD5

113bced402c29231367d17be7f01784f
SHA1

602dab0768b0c33c3021e9a5e1b3442efb9665b8
SHA256

e2756b61810fe92bd595f2cf3026d995f546fba651dcf033cb95cb33c7f6883a
SHA512

e16f44f82ca9f25544786a64be774bc941c7c7e7e067af891935154ecfc52caa5c3673952dae6fda2dd895b00ac1538f5c0f2148356d98e9c72b706d537e6293
SSDEEP

192:Hym8TSrQWRIc+v2StX4Q/ZpzM79EWQOie:HxEsQWRIc8ttXd2GWQbe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	113bced402c29231367d17be7f01784f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2124	2924	113bced402c29231367d17be7f01784f_JaffaCakes118.exe	83
PID 2924 wrote to memory of 2124	2924	113bced402c29231367d17be7f01784f_JaffaCakes118.exe	83
PID 2924 wrote to memory of 2124	2924	113bced402c29231367d17be7f01784f_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\113bced402c29231367d17be7f01784f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\113bced402c29231367d17be7f01784f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
9KB

MD5
90674c4ffcc82689b718dd3c0feeb405

SHA1
88175f22b7172d64a8be08aabc11f48b64832b73

SHA256
e4a9a95f6da06919dd77d104285d0601d6bc0b82745c30b2697c9bf4f44e5e49

SHA512
f7f0cad42ac7fe4559f7477fa46ed54d1c79cd33c4931d27723a3e3a1ea00988e16df930d856705ea70c0b9dea2b9458895a2e4fee55931cf83e4ddac5168d7b

Download Submit