1afb545fd4bb5ebee1988a43264c93d6e5d2809f9b9736dcdd702059e4b46872

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe
Size

1.6MB
MD5

34159a0fee587dd20835ee5d9007d71a
SHA1

a3f2074bdc7b520c6e4e6b68016e89082d428c0e
SHA256

1afb545fd4bb5ebee1988a43264c93d6e5d2809f9b9736dcdd702059e4b46872
SHA512

82e9cd7c652fded635099d0c6bac4c8b3bd5e5e932f502f189858977e1fab334a5beaeac1d16c7c135da89a67af5458353042149745f1287a9d40cf02f507e30
SSDEEP

49152:tZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9i:tGIjR1Oh0Tm

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3884	34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe
3884	34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3884	34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe
3884	34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe
3884	34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 988	3884	34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe	81
PID 3884 wrote to memory of 988	3884	34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe	81
PID 3884 wrote to memory of 988	3884	34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34159a0fee587dd20835ee5d9007d71a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8244.bat" "C:\Users\Admin\AppData\Local\Temp\4F532D443FB64A80A477535892010BBF\""
  2⤵
  PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4F532D443FB64A80A477535892010BBF\4F532D443FB64A80A477535892010BBF_LogFile.txt

Filesize
2KB

MD5
405fe670efa72ff89699bcad30508413

SHA1
e7f5cb0e8ffb40614060348a06eb9deefafc4a71

SHA256
ca31817933a78e9027166c9d641ba7f8882375cbf3b9eb21c3726beadb3ce6e6

SHA512
56ace3a6a2037870ff3909a9e8eeb2a69f9472c1790d19643e48cad1d8972bd392e38b6850eb847fef4d313a0a1e50ca883c8bc6cb7eb3abb69b48e04d414db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F532D443FB64A80A477535892010BBF\4F532D443FB64A80A477535892010BBF_LogFile.txt

Filesize
10KB

MD5
c3ddaf4d88970d6be315ba2dea29918f

SHA1
4fbdade597184d025ffddc3a03f92e7678ca93b2

SHA256
a08d841f3806c0229308329fd3d852a1882dcec976f1ecfbe5353d91506ec1ee

SHA512
6d4ad920763c571fd22181c5ab7fed4e573fcac3f4182a7befe4452758ca5eba08b5b02805d10e5dc639ea2710494b977fe91e20e212537ae4cb8acbafef4fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F532D443FB64A80A477535892010BBF\4F532D443FB64A80A477535892010BBF_LogFile.txt

Filesize
670B

MD5
3958c21b62636684301bd2c1f4365ae6

SHA1
7d0a75bd98fab8c2cf6e8b9c941ce2d120a7abe5

SHA256
7aa527b36b353ab5749cb91235287213d600b71316ac127eadc7f3eee736065f

SHA512
3b00e4963d99fec399369e819acf5d4e1e0aa68016677fb1905cd9f03b78e15c89a6e6f218da95f69b61126b4ffcc7348893b4110cd00915b01f3e0e80e2f032

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F532D443FB64A80A477535892010BBF\4F532D~1.TXT

Filesize
104KB

MD5
ef4c4928b89a897e9a0e519d27802ca9

SHA1
d1ec222ae4570aace54898bbf9a6980a2260c980

SHA256
418d641c2324a0ec00a167ce7fee0cc38d523443d0f4030d9f0f7eeae55e4f91

SHA512
db603e02e60c04aaa32f564997029f848af92d95683a9765788e9e8500d5cf626fc44649fc8d4571e7237a19bc268e70e5aaab02f5307df445d9ac44c5b5f618

Download Submit
C:\Users\Admin\AppData\Local\Temp\8244.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
memory/3884-63-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/3884-183-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download