a7fcf790b59ef1cfc8dec3655474f90cdb41a8fea6d9ae9cf0d2d8703144714a

Analysis

max time kernel
132s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
Size

931KB
MD5

167c0f4885cb6d9fc13c967bfceeb939
SHA1

eae2bd8f375e9dcd93715c6e80e5dbf9d7604a36
SHA256

a7fcf790b59ef1cfc8dec3655474f90cdb41a8fea6d9ae9cf0d2d8703144714a
SHA512

89654a104dd5c482f86503e26bb0c0df71d817643c32d3b39bc8c14a88145a6291dca67daaea1acd7e8966f64afc3eebedf6c9da12f21cda3fdd69a08ec4bb5c
SSDEEP

24576:ntg0NmSRwZ/3WubQ41c0pGxCjpTM7+2vWc+Yt08:nxs6e3WH41/pGxYm7UcpN

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1256	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1444	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1256	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
1256	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1256	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
1256	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
1256	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1256	1444	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	84
PID 1444 wrote to memory of 1256	1444	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	84
PID 1444 wrote to memory of 1256	1444	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	84
PID 1256 wrote to memory of 4084	1256	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	99
PID 1256 wrote to memory of 4084	1256	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	99
PID 1256 wrote to memory of 4084	1256	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\nsx4131.tmp\internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsx4131.tmp\internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe /baseInstaller='C:/Users/Admin/AppData/Local/Temp/167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsx4131.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10273.bat" "C:\Users\Admin\AppData\Local\Temp\6015FA1A0BD84B31A47BF997B1C0ACDB\""
    3⤵
    PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2818691465-3043947619-2475182763-1000\$I0C2EBT

Filesize
96B

MD5
a1af67b150526b129cd050e6087cf92f

SHA1
d4459b7647a6f1cff4481c7e35d855d18a76d7d0

SHA256
f5822b59bcafa4d962ce72e246962e784735dc0ffbdf9a8f0f1edd78f7e89c13

SHA512
4d63ac5967eef7acde2d3b835b0ea47fd1b9b035e7006ede02137ee0a2d4f61ae19ed0cc9bb5478e3f09ad695dbdf1d4f08047b38f07bc75f4c27091bc2bd6e3

Download Submit
C:\$Recycle.Bin\S-1-5-21-2818691465-3043947619-2475182763-1000\$IO6WAFN

Filesize
98B

MD5
428b1d2d51fef1b4d3c84f3fc226b666

SHA1
4ee59a3daef803267013ae3e83f173ef05043ea3

SHA256
614f895ccbb51a30e5e56c80fd30eb0e267adbf826016c7010c00327ef9e2419

SHA512
b00a2447d4cbff92792124eb085273b33b47eb5f747ab6781aacba4ce94b5bbee16678948d1d6846d55f50ba9ada48065847b8f56982636e1fc2a6d0bd892e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\10273.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\6015FA1A0BD84B31A47BF997B1C0ACDB\6015FA1A0BD84B31A47BF997B1C0ACDB_LogFile.txt

Filesize
10KB

MD5
4e26b4d0b68d589731a0c3628fc23e63

SHA1
43050fdacb9785470237f388f69603e6e57e24f5

SHA256
d6e628b4a590d43fa3b268b9e6e01bb6bc3d74c2b65533bc25e5e575d0972d4d

SHA512
0170b873c88e8d13f1d582309e63ece4636344361a5735b7b57c704f50987e9058f3dec6682ec8175883794bbb870d57af0429e661b49d520641dc2903089bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6015FA1A0BD84B31A47BF997B1C0ACDB\6015FA~1.TXT

Filesize
108KB

MD5
822926e8915867b8a45612dabcf512c7

SHA1
c958ff95f6d41fd4097d8e0dea224af1425991a7

SHA256
14e19fa038e254afaf27b129f7a2501f888adc30377f4b39b0c9d31e2750ac54

SHA512
6165ab8e3d3ea5b565005be59ae61b0d97ba99cd9ec4f19621c55e792f825444b471632f8c6dc42791bbe95421b831994844745119078b72907ccac3ae94ba21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4131.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4131.tmp\internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Filesize
1.8MB

MD5
e35e058dd2119eb0f0e852f8738fbab5

SHA1
b7f9388398a9643eddb97a6c2ebaf28b6189c9a8

SHA256
17158e4838c580edce7f87e677531324579734a5ffbabefac8ce038030f11556

SHA512
d42ec1b3875e5a5cb23e520c2633081304d61ea282407dbb52d4b8c58bee4ccec377e291b485d6e6f5490920838c4b520fcd029897c6be4ac5da3bf19e46ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4131.tmp\internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118_icon.ico

Filesize
31KB

MD5
49423adffcdebeebd07c5685043a2de5

SHA1
250c7979deebd09963172460d88081ae8a094552

SHA256
a173c1085b8f2227909c0980a4aa6611670eba7869a34228d011019a5675b089

SHA512
32d18c09cb21d9755a68e1d6d75dda8fb4ad297b3d6359765a56856f1a0f6fed47532ecec039b016c73a2967e62d44606415610ae42cec77ae815b164a7f5dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4131.tmp\internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118_splash.png

Filesize
143KB

MD5
376138929342a1d86d97c9382da9cdd3

SHA1
d9344a3797e105214357b575d22ab7565bf0aa9b

SHA256
b50608c3355c6dacd183da40af82d87fbd41c6af8074617266c237416055bb7c

SHA512
35fb73515970d257b682c50bff6b6cadedd79906e212c3ab80835f03de9602fecc29459d205c497b26fbf86a625de005d1f6f98117d9c17ccb1926cd39ff756c

Download Submit
memory/1256-213-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download
memory/1256-78-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download
memory/1444-123-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1444-294-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download