ceb39bd7270666c09534f6d54d2715e3e74652d28c494d9e73664de655164387

Analysis

max time kernel
135s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe
Size

1.6MB
MD5

3a2409969f1bfa669f1d339c8ac9fa1f
SHA1

afaa363108d2c91f6cea4684a3299fa992a23b0c
SHA256

ceb39bd7270666c09534f6d54d2715e3e74652d28c494d9e73664de655164387
SHA512

463ee6728abb25a80274b9ab87898cbaa7366531ab8e3368298b2112f54bb4dc3025597b0c1ffcb46014811a057d6e01af64e64a0a37088cea67c63f92e8274e
SSDEEP

49152:/Zgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S93:/GIjR1Oh0Tj

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3684	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe
3684	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3684	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe
3684	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe
3684	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 400	3684	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe	98
PID 3684 wrote to memory of 400	3684	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe	98
PID 3684 wrote to memory of 400	3684	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\23933.bat" "C:\Users\Admin\AppData\Local\Temp\5C7DB4317511438C8E1F38529C281D59\""
  2⤵
  PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23933.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C7DB4317511438C8E1F38529C281D59\5C7DB4317511438C8E1F38529C281D59_LogFile.txt

Filesize
2KB

MD5
25a2322f557e8059b1a01f05d19cd213

SHA1
db5f58e1efb7c48ced6c7badfc9d3dff450039fa

SHA256
3e727f9c08175697ac55717cbb18eb069a8f09fd2e19b8b35f8dddc57dca9617

SHA512
391f1c2fc53347fa779ec923512a3c62264ca872a0107e5269195708df765d40f9c74fb99fcdb09f11c956bb08f348c9f4d2e0fb118435f6acc300b9a267be10

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C7DB4317511438C8E1F38529C281D59\5C7DB4317511438C8E1F38529C281D59_LogFile.txt

Filesize
9KB

MD5
ae3d4d1f7cc6af67db37e5a7bdab393c

SHA1
166a225cd8ffa2437884800d8ccf9bd4b9b36fe4

SHA256
714201c9db51a910f675d71e7aada580dc237418f7a457a33b223341931b40ba

SHA512
7fb7d4bc11f67183a33b64fb0a73c8953f0ee57e1bc7521d82b6e8b32780fe4d3bcad6a2f0847179d7f92038edad1777d4bc03b6e624f8301aec416029e8b436

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C7DB4317511438C8E1F38529C281D59\5C7DB4~1.TXT

Filesize
103KB

MD5
d3a3f3836a26f02496135981f6d39350

SHA1
9c067df7d5b759d0029a5d0d50b3432e7285179a

SHA256
37d6398dd54ef946b9acde9e2b9e0b01f3da096354877293a01eda7518ab8b07

SHA512
9ff14cf5d9c8709e8becacfd84ae2ef9ab3aff62e9221d9d261b5eb00a2712be39190098be613a10333719c6c2d85b60030eade43d5f783735cdcd70d1dd8020

Download Submit
memory/3684-63-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/3684-182-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download