b584e51d2963e09d6131b4478278aae81f8671eab799780a03a85b37b0546844

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
Size

762KB
MD5

33f2ea12e7c2a0617631cd2c06213c43
SHA1

5dd1e34134293ea1b2c19a274a846637430b322f
SHA256

b584e51d2963e09d6131b4478278aae81f8671eab799780a03a85b37b0546844
SHA512

252d4d9276c6c6ed8ff6a8865ba55775c73e10e87579221b5cabe63e313a1307f0a896073ee28902953894c557fe2d1487e4fa2879f84c3273ce1d161ecdbf37
SSDEEP

12288:2tobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnV:2tDltItNW7pjDlpt5XY/2TkXKza/29h

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3156	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4104	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3156	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
3156	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3156	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
3156	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
3156	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3156	1608	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	82
PID 1608 wrote to memory of 3156	1608	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	82
PID 1608 wrote to memory of 3156	1608	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	82
PID 3156 wrote to memory of 1440	3156	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	90
PID 3156 wrote to memory of 1440	3156	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	90
PID 3156 wrote to memory of 1440	3156	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	90
PID 1440 wrote to memory of 4104	1440	cmd.exe	92
PID 1440 wrote to memory of 4104	1440	cmd.exe	92
PID 1440 wrote to memory of 4104	1440	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\nsa3B84.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsa3B84.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsa3B84.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsa3B84.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26228.bat" "C:\Users\Admin\AppData\Local\Temp\6AAAE1052F174D26B38AADC1BBDDD455\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$I12K6TZ

Filesize
98B

MD5
b3ff6cb00506d1be394542132d3d6dfa

SHA1
ebe9c361189db913fa4bdd95cf44af62b022b3ee

SHA256
16a85ecddabd37d0b98ffd5341823795e058e296a6276fd7dddc09bd312e3350

SHA512
a6becb08de549595164b425027ea42c27f67dc90ef19128dc559e3d8ee76b35fd925624e97f2405e8b125b96ac80d0c5fd2f057b6158b46d36bfb29fbb0fd253

Download Submit
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$IN10C8M

Filesize
98B

MD5
b77530237c1fa823a2520916e2cd14d8

SHA1
6f066ccdc19cbd4d9b27a48f3e4627cc58f2d7b1

SHA256
3b2ea6448f20a820b7052952d0f72902fbd30d5206c0dede8537203be93abdba

SHA512
8e6b926cc701d63e721e263eccd5ce27d7156dd49050d9d2d60714c336196312bbcad9d288bd89720227bd6b965e9898a50d98984497aaeafa76804e95940e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\26228.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AAAE1052F174D26B38AADC1BBDDD455\6AAAE1052F174D26B38AADC1BBDDD455_LogFile.txt

Filesize
2KB

MD5
f3561497e9323c632c7f6032362ed31a

SHA1
99263c4e6490cb5c0dd7e33ecacab9530e1472d7

SHA256
c186e57e36596c4b4339857904ddecac63cc9db2612ad373b3815f33e0da05e3

SHA512
3eb6d3b5bc07084517da6f436b6a0cb722da847d0b2a314b33e35a3a51209c0cdf63333d320d27c2af22cf6a96cc48c22fd419a9d452d2b5aef0d7432e560257

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AAAE1052F174D26B38AADC1BBDDD455\6AAAE1052F174D26B38AADC1BBDDD455_LogFile.txt

Filesize
2KB

MD5
f8c7f8d286d6308e4f7cf9ca50229c1c

SHA1
b1caa17b0cab2369e8255ec2036da34ecf620688

SHA256
1a6d75f8cdcb546def299300aa75d1eeabadec46963a09aa8a0ea2a5f7cf6945

SHA512
83f122f5075fde614b4faba0be84a86cbd63ce75f8252ed41360522c586b6847c736e57234449ecc727b8a90054deea2174c0395f9518d2946c727413a5711d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AAAE1052F174D26B38AADC1BBDDD455\6AAAE1052F174D26B38AADC1BBDDD455_LogFile.txt

Filesize
3KB

MD5
41805557f1b5aea9dc3822febd31f8ca

SHA1
285fdd0b3b47cecc7fbd75d8bc2c908c448030b5

SHA256
440dbddba2dc2cb3c482cd6be74f5b4bbf699b1a8bbf9f670134bf412dfc5a5c

SHA512
79d00082ddbd6e50d8922cbe7612074bae4a9d31e2c09a08fd0feaf5dab8e9104821d95e1755a8e0982937d9df51c7dabcc7260979947133997fa7b4e2d5404d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AAAE1052F174D26B38AADC1BBDDD455\6AAAE1052F174D26B38AADC1BBDDD455_LogFile.txt

Filesize
4KB

MD5
26efad6af18f416af2e406d63ff9fad0

SHA1
7a3d30263230e8e624b56694a81b5ada61e29ae9

SHA256
6aab72d008e3d14ae9a2213b66e4dd8008e74904fa325b4b005f07bdd14613c7

SHA512
f0c49dee45efeb0040844567b9688fff097b4f56ff5d97661d80ed45130828e9acb12d7e068a85b6f516c09eac498c45e7c94c9b8d2fae2bcec630f04294a173

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AAAE1052F174D26B38AADC1BBDDD455\6AAAE1~1.TXT

Filesize
27KB

MD5
670b5ebd5c739d6f218becdb8fcaed09

SHA1
4edf1e70d63fb62613c1a4171f6d10cd8a28a37a

SHA256
8411fdee531c1ef3ea16cdd39af913101e1e5d2cc04875f8a37ab37d559631f8

SHA512
d403245afb98f9e585cf72b429e4367f6492fb6e5f46d47ae34186b4dfca4ee289caafc3c0a06bae293b7a11a5b3c682e06e22ec6862e20f103109fefdd15c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa3B84.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa3B84.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa3B84.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
memory/1608-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1608-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3156-71-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/3156-207-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download