4ef2cf76837976d50710e7e011e785505a3004e481696ebb6e0ff0c27e9079ba

Analysis

max time kernel
134s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 06:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
Size

762KB
MD5

1fbf2dbee1cc89d2281e5c80d0ee1695
SHA1

475328b85303df68ff1ec614e7830bcb4b1cecf9
SHA256

4ef2cf76837976d50710e7e011e785505a3004e481696ebb6e0ff0c27e9079ba
SHA512

6a6d39443189b6c7b826240845404602926a39f78100c27824b9072e677f0a78a2e555744b71767f5319f00d41caecccadf7166478052e8b6d182ff5ab3f8776
SSDEEP

12288:/tobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTn9:/tDltItNW7pjDlpt5XY/2TkXKza/29x

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
748	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2732	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
748	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
748	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
748	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
748	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 748	3712	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	84
PID 3712 wrote to memory of 748	3712	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	84
PID 3712 wrote to memory of 748	3712	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	84
PID 748 wrote to memory of 4140	748	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	100
PID 748 wrote to memory of 4140	748	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	100
PID 748 wrote to memory of 4140	748	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	100
PID 4140 wrote to memory of 2732	4140	cmd.exe	102
PID 4140 wrote to memory of 2732	4140	cmd.exe	102
PID 4140 wrote to memory of 2732	4140	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Local\Temp\nsu3990.tmp\internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsu3990.tmp\internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsu3990.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsu3990.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\32210.bat" "C:\Users\Admin\AppData\Local\Temp\0D14AFB637E14A2EAB665F382EDE66E8\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2860750803-256193626-1801997576-1000\$I7JCTJH

Filesize
98B

MD5
ce5dba646817a0bd276b03390d74079d

SHA1
fbf0cf2adb3ac1fd3263046fd19d4b0edb7a237d

SHA256
cbae00bf3ccebce6b4b178eb5e2b70364e7365677d5c504ec36721312108c47e

SHA512
83805b30082d6e76979e2fe7949b54188bdcee06ebdce119746cbfe12f354f18c156510aebaf4b19f1bda27466f90efbc3f490bae3a350df85b5f83cbda9cd21

Download Submit
C:\$Recycle.Bin\S-1-5-21-2860750803-256193626-1801997576-1000\$IHHTWZH

Filesize
96B

MD5
fd7319f61b033f49d92614f2c9ca26d0

SHA1
5cb84bd967d7b5e27ecd30a5950204470f0c3caa

SHA256
84c3d958c5afdc0947a64bfd32db38662fd1531fc69e52c922c4761cfe878abe

SHA512
633906aff4b3f0f5802bfbc649c82c70ba80b9302225f2d1ba7c316807ad183efed2d8117a023f40fce74b82df7a3f9a288bc3b526cf5cfa7d6fe89bc264ca30

Download Submit
C:\Users\Admin\AppData\Local\Temp\0D14AFB637E14A2EAB665F382EDE66E8\0D14AFB637E14A2EAB665F382EDE66E8_LogFile.txt

Filesize
2KB

MD5
0879cfe6d420c60e63494ea7c77d42c2

SHA1
d0e1906e6eb2fc332b64f98e61357ff4e44ca993

SHA256
114e786ab157e90530587961f1d316e7fcc48329cc0f523e11073039981a35fa

SHA512
aefffcf87287bb413c48209838254a3d8c6906eb6ee1f4bbe45f6902ab75e4b3a09a359e853fffae1fb7f5466fc8c418a86e6a9b2464aaf44c2c23de8db5a3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0D14AFB637E14A2EAB665F382EDE66E8\0D14AFB637E14A2EAB665F382EDE66E8_LogFile.txt

Filesize
2KB

MD5
15fed3e39ed2cce0ba50594bfcf9a83f

SHA1
dd2aec5ea89b169f62166899306c2a39b6336d7a

SHA256
8bc20092e61c9d4efc55dce6c6ceb4710c2139d994fe31b3e1cde357cecf7d5c

SHA512
bfc6934693d153b929641c10c990745ea783eb37f529197d12111b04ea8de2b9cf490040d018db62719532133eca1e989aea1687d8e2dd755d21f9a86e970de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0D14AFB637E14A2EAB665F382EDE66E8\0D14AFB637E14A2EAB665F382EDE66E8_LogFile.txt

Filesize
3KB

MD5
fb654bedf42af2dfe0992d7e3f2449a2

SHA1
02a63a7b0e452ffbd61df947f95d96753dd8b66d

SHA256
881ffaa8a56a55d5f501442b9c4e5befd8299165964d494923d904a4a34b4f60

SHA512
acc2e77eb01966d3b5899abebbdb9f1b320b6ee56d511b79342c62817ab8259c013c36dcdb7bb76884cf73719d635f486fc4d3e7deef3a4e0f16230e0a180cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0D14AFB637E14A2EAB665F382EDE66E8\0D14AFB637E14A2EAB665F382EDE66E8_LogFile.txt

Filesize
5KB

MD5
ee176e0e198871c4b347580e035a87c8

SHA1
7176229e96b8b717c707c8536f54eacd82506dc0

SHA256
4c336925fa459c01df42db6451c47a3afc0233a491fc7cfb99d990ddb9bd6e3a

SHA512
6abc102733d9aae84f825f6d3914512b2b80871baa91a784b0c658f1a00f700f05c8dd739e13e134342a6911c4825b807059cc9e10b9289b7bfed7718cd7eacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0D14AFB637E14A2EAB665F382EDE66E8\0D14AF~1.TXT

Filesize
27KB

MD5
e4903df6d4650c6fa27ee93a74d7ac44

SHA1
7e3dbf999a83ddcdc4c8b31ce7e493b18cdb97e5

SHA256
d63a39c6bab89534c6dead0c20f1531fc9d5b71599d2269ea4a8bfd743e55f63

SHA512
f3ed7450f47472ec37fc0a2900d9f43123eb177534428d4d4b776a43048a2cdc170385291696f8a506ec0a4be634e255c04bfe29406585dc737f0041cf4616d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\32210.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu3990.tmp\internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu3990.tmp\internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu3990.tmp\internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
memory/748-75-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/748-207-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/3712-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3712-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download