d48c3ad01262cd7d4a3d1c777937fb38e96c47ab19f53dbd5dda1fe1cdb3f76b

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
Size

762KB
MD5

37274b609755ff032c62f6b8671e8b23
SHA1

bab02c7f352200518ed08148fa885ac5dea29d26
SHA256

d48c3ad01262cd7d4a3d1c777937fb38e96c47ab19f53dbd5dda1fe1cdb3f76b
SHA512

d4b565b441d483a1064bb8512e695e501a85678163aa815fb5538e7b6223c468d9017be0e94d20b8d3c88e2573aa075d98b4db9b2e6b72019c7cb5096c62dadb
SSDEEP

12288:9tobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTn3:9tDltItNW7pjDlpt5XY/2TkXKza/29z

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3884	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3884	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
3884	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3884	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
3884	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
3884	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 3884	3164	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	81
PID 3164 wrote to memory of 3884	3164	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	81
PID 3164 wrote to memory of 3884	3164	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	81
PID 3884 wrote to memory of 4588	3884	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	89
PID 3884 wrote to memory of 4588	3884	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	89
PID 3884 wrote to memory of 4588	3884	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\nsd4E9F.tmp\internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsd4E9F.tmp\internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsd4E9F.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsd4E9F.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\16528.bat" "C:\Users\Admin\AppData\Local\Temp\41723741BA834D3292AA8B1799569AA9\""
    3⤵
    PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\$I3H77PG

Filesize
98B

MD5
a8b868d926e455aa395a16cf1e0c2181

SHA1
c5ad8580a7b46720a485998f9f1f9ba46cc8463f

SHA256
ed958c2881de6d51031a8f53c78b793f5e0913cf660d04977d3848d88fbc62cc

SHA512
3bcd29ee175370da1c476008a89e50cd454d1bd215d1f8a5d7aeb7a72f02ed7a4e6bac1da5aa40998df3574d8948b90a1da310838e7afa7540c0fcc498542b9a

Download Submit
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\$IIBAKF8

Filesize
98B

MD5
2bea9535a294e48b7fc60272421e34f8

SHA1
274c96e80d6e6e1bc894722897afed4adba61bb5

SHA256
995080e4af3d7a06fbeb3d5878d48a5ecc73163f605ab98dd14a21183f326ef4

SHA512
8404d7842dc961dbde5e2ca6f837bda9b2ea8f0839d55e31d39ba880224742b530e6f542df4c9c568f8158850a9f8d21fa726e84870128e28a905a38cb4f9016

Download Submit
C:\Users\Admin\AppData\Local\Temp\16528.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\41723741BA834D3292AA8B1799569AA9\41723741BA834D3292AA8B1799569AA9_LogFile.txt

Filesize
2KB

MD5
dc618bc5d3c52d737da52014693c7326

SHA1
95eacd696ddbaeeaa3a65e95fc03901297ce3662

SHA256
f04b9e98512d6b38d9a6dee914b4f102ea8c6d06cd112b06db567a4828d0842b

SHA512
119f0cf83caf9342f283e24493547e0371e45d9883db2ddaee77e7697b0d7d6f5909dbec57471851db5ed2e70800ad66766796ecac0fbd89c3eeac349a597889

Download Submit
C:\Users\Admin\AppData\Local\Temp\41723741BA834D3292AA8B1799569AA9\41723741BA834D3292AA8B1799569AA9_LogFile.txt

Filesize
4KB

MD5
31df5143484af5e0e80ad8f4104f8fb8

SHA1
6f23b35cbdd0746f4e6fe3423c074694c65534cc

SHA256
cbbd21fe8dd9931dfdc341bf9c8c61cb41f27001e80fc3c118df5943b9ffcbbe

SHA512
86e2475b4338e1a3827b31ef4bb5728cae1980ac890cdf8c4065c9324bf73705234513b9a54035d99afc23dbbcbfc7da623c327bef18647affbec25ecccaf57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41723741BA834D3292AA8B1799569AA9\417237~1.TXT

Filesize
25KB

MD5
847e629ba57eadfc82427328d6a0b8aa

SHA1
e1630d9f6b137808ab3ac3c69524e501a2c55df9

SHA256
1d4e99e0d0470368833ddbb794d2360dc6274c7e4bf3f8ecda96be1204eb17ea

SHA512
dad1d774d529ae0a903ac2d3cabc0ccf1be38f798d7b0b60937425d6a0710ede33409bb6a3448f5186c91efc9b8d9d601c0204239c5a242c8f3b0a2da95a7f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4E9F.tmp\internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4E9F.tmp\internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd4E9F.tmp\internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
memory/3164-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3164-281-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3884-71-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/3884-202-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download