63b27757379ae97b85007c26ac18b83f69edfed179544359eb92ff1d23803492

Analysis

max time kernel
129s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe
Size

1.9MB
MD5

18314d37e862d5c24f7f7d0f04bb9a09
SHA1

0c7156e2c3e336d14f87c8815fd9516496e6e53e
SHA256

63b27757379ae97b85007c26ac18b83f69edfed179544359eb92ff1d23803492
SHA512

3358fbb2d3cc862cdd7e414d647fc243c6df260380610a004a9151cf02f3649c7c6a80da2a418e43b4b8a941da2ac10a6d292b533b32ae15bfe67ad20e384eaf
SSDEEP

24576:1TfEWQMHi9jzdDnA0Hse37/kf+lsEmYmHfAlOFpe8Qk+Th/De:JcW4fWiL8g7m5Al98uTBK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

Executes dropped EXE 2 IoCs

Processes:

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmpDiskScan.exe

pid	Process
3276	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp
4856	DiskScan.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
512	4856	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

pid	Process
3276	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp
3276	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

pid	Process
3276	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

description	pid	Process	procid_target
PID 4556 wrote to memory of 3276	4556	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe	84
PID 4556 wrote to memory of 3276	4556	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe	84
PID 4556 wrote to memory of 3276	4556	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe	84
PID 3276 wrote to memory of 4856	3276	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp	85
PID 3276 wrote to memory of 4856	3276	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp	85
PID 3276 wrote to memory of 4856	3276	18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp	85

C:\Users\Admin\AppData\Local\Temp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\is-LQI3G.tmp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LQI3G.tmp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp" /SL5="$50064,1255067,809984,C:\Users\Admin\AppData\Local\Temp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe
    "C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe"
    3⤵
    - Executes dropped EXE
    PID:4856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 984
      4⤵
      Program crash
      PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4856 -ip 4856
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190001\DiskScan.exe

Filesize
1.1MB

MD5
7c45d6bb1ad157b2a1bcf846a70cf28e

SHA1
3093930da264cd169880d92acfd739750adde40c

SHA256
9de4dd12e31445a073c04c64731676ebde5850fb7ffee5463cf398142c824c71

SHA512
5af94e470a8e713bba3e24a08f47ea2cc6935acaf95afabf90cea71bb26cd0c860ed4d81bd0168cf3533c9d248eb883fa1d6cb982f7fafc1db908116b7b96192

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LQI3G.tmp\18314d37e862d5c24f7f7d0f04bb9a09_JaffaCakes118.tmp

Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
memory/3276-6-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/3276-22-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4556-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/4556-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4556-23-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download