2add377e05dff082609fb089f0c4b92f8ff3570a3c2e427b6a583e07ff1747e8

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe
Size

1.6MB
MD5

2a445ebfa7283ac0f9e72634e87f0a6c
SHA1

61f141e664f89e295b6fdad6e84eceacff4604e2
SHA256

2add377e05dff082609fb089f0c4b92f8ff3570a3c2e427b6a583e07ff1747e8
SHA512

75c24ea10692b3fe4346e58c0a498e98cdcc76c2be0247594dd5ab90c11d5ff322c10fecbcbcfdb146fc805f1444e5c3185d3629fa2efd4e216abf8a29564190
SSDEEP

49152:0Zgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9L:0GIjR1Oh0TH

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2800	PING.EXE
3756	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2740	2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe
2740	2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2740	2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe
2740	2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe
2740	2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2404	2740	2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe	95
PID 2740 wrote to memory of 2404	2740	2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe	95
PID 2740 wrote to memory of 2404	2740	2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe	95
PID 2404 wrote to memory of 2800	2404	cmd.exe	97
PID 2404 wrote to memory of 2800	2404	cmd.exe	97
PID 2404 wrote to memory of 2800	2404	cmd.exe	97
PID 2404 wrote to memory of 3756	2404	cmd.exe	98
PID 2404 wrote to memory of 3756	2404	cmd.exe	98
PID 2404 wrote to memory of 3756	2404	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a445ebfa7283ac0f9e72634e87f0a6c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29853.bat" "C:\Users\Admin\AppData\Local\Temp\403A143FFFBF4379915BE66F7D71A2A5\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2800
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29853.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\403A143FFFBF4379915BE66F7D71A2A5\403A143FFFBF4379915BE66F7D71A2A5_LogFile.txt

Filesize
2KB

MD5
2c7363c4a27376ac1f6845c3a92168fc

SHA1
90877d89bc6c1aed58edf79ce9755d9a3c1f4598

SHA256
5fa0bd017f4daeb589d805b8edec1c3e790e7156c498927bf34139c0de54a7d7

SHA512
0f29c48ddb506e9d151d3c0818a568e896280853b134f7c6cf1a2f41b4fc4fc4723e02b2d8ffc53fd993b9fb42bcba28f18df16cadb123c6d6d817403955b3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\403A143FFFBF4379915BE66F7D71A2A5\403A143FFFBF4379915BE66F7D71A2A5_LogFile.txt

Filesize
9KB

MD5
93ed6f7b1951134a4e1bca99b5c8f0c9

SHA1
0beb21058155f8ee8fdd0010810d9b1a56f06f72

SHA256
ada2a9c4932e282d85b9b5315c7138b8f616141ca3f106ab019c3dee9298a00c

SHA512
a2d719705a1ccfd58ca5896c7a6a7761117d9c7ebf5144913e56140d9315066b3f7d70d4183280094de8757ab25e4bc3e1f42c775e2694687233abce2d31cf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\403A143FFFBF4379915BE66F7D71A2A5\403A143FFFBF4379915BE66F7D71A2A5_LogFile.txt

Filesize
669B

MD5
4eaa02d66886fcdd7997a425f0d009fa

SHA1
d709e52893865c2b3f146d99d2da98bb5b0656e2

SHA256
a31f47fd83a4ea39a53786e33e112401a15027f7f8dbe39f80dede66952ba1ef

SHA512
bcc99373e1d8c004638c9cbc00f76a833fd277b2ff6a2079b23f020a4c4e4edbe965da2e857df56c094953a23944b25e5f9d12902cd1a4532127561534b1c71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\403A143FFFBF4379915BE66F7D71A2A5\403A14~1.TXT

Filesize
104KB

MD5
24a56671ae3968d478dea2ac3ecbaf62

SHA1
f89ec09d27ad9ba21b005a5c1c6c05455cbe8e08

SHA256
55ee7cb9e745d9c662e845a72cba23495cba850291687d3b2ef5d4f129b95d4a

SHA512
7aa8840c27b6cf561d2ec4466bad95e47ec42d51cc4f93832a246cc3b76df459bd2444b733aeb99f4fa00f67b7940afeb804a54b51081983e462803de5510072

Download Submit
memory/2740-63-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/2740-183-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download