06e6187e59ed24e37233bdfeb62a1df25d2e7eecb2bade1e24d2b36beca341e5

Analysis

max time kernel
136s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

155315a2b764b7561959a26e3e05a43c_JaffaCakes118.exe
Size

19.9MB
MD5

155315a2b764b7561959a26e3e05a43c
SHA1

57519a5dc7168d1f45b89d5b86859ec3d1489842
SHA256

06e6187e59ed24e37233bdfeb62a1df25d2e7eecb2bade1e24d2b36beca341e5
SHA512

d0c03ccca2a64533d81f0d94323aebdee38500605822b94347fdd1ff5f0b6808b49899e2a250d219085c0f5e8c51a1b6b0bf03f444aa6b59992c446f24f641fb
SSDEEP

393216:CYKC4eyPWhgS6nAb22Oy3jPRhv37F/g8jxtK7GpQ446jIRowg+L+gK:CP/edgBnAy2OsRhPpNj3aLv6jIRXg+Lg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	155315a2b764b7561959a26e3e05a43c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1084	autoinst.exe

Loads dropped DLL 1 IoCs

pid	Process
1084	autoinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1084	1636	155315a2b764b7561959a26e3e05a43c_JaffaCakes118.exe	88
PID 1636 wrote to memory of 1084	1636	155315a2b764b7561959a26e3e05a43c_JaffaCakes118.exe	88
PID 1636 wrote to memory of 1084	1636	155315a2b764b7561959a26e3e05a43c_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\155315a2b764b7561959a26e3e05a43c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\155315a2b764b7561959a26e3e05a43c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\autoinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\autoinst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\autoinst.exe

Filesize
72KB

MD5
35f94211d4038fa3e417d6570cf6678f

SHA1
4bd31b789f9b9eb1c8f27bb03c91d67bcce23c00

SHA256
b9e54728af0fa94acd6da145eac3781f6406f2128f6834d184b8b386a364c745

SHA512
a6af562519878bf3f195acdd3debee69bd7dd5d095403400d603cd726e607fe950007649ccefc31c6d707d790cbabf23f1a6a23ce92df0cdc70447c3fe2c9de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\modulo.inf

Filesize
399B

MD5
cbc57301c4fee2cfef7871a67b24ce7d

SHA1
09eac6358583fead55a17261c1e42b8191e4ea6f

SHA256
62a6395c6afd86888b7f10b25f33f7e8da1a325fc91e00191d858dca13c7eb2d

SHA512
fed970184efaa5f7b00265786f2df2ed48ddb6fc8f871b1f1cf85167d4472a58ec56c9fbb5401de5d2dacb66e6161f816f3aaff20190692336c1fc10d4043453

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\swlib20070100.dll

Filesize
92KB

MD5
1e80f971a3f74839a39104f746d45061

SHA1
4a9110f1db98fe2f881cf38d41f2488329809864

SHA256
729f62d22f9c13154d8cd0f79ba56f99e28b9a1a23b901e56415581da1c47bfe

SHA512
6eea38acbb14403dc56e39fe1ab8aba2bc4cbe14ab1cabb18930839faaf46f98c46aa6108816d579ac42c96d87797f9ab05ddc012bb705a12c7df16b37e360d1

Download Submit