0e3418bcbeb7b18e25a5a0733cab85dbfbf9019bae3394112e41051a192f2b13

Analysis

max time kernel
143s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 01:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
Size

2.3MB
MD5

3d677c956bc9a9ede80e38134af20a5c
SHA1

3cc9ba461899bb8999fb1c5d81ef2eca1fe86959
SHA256

0e3418bcbeb7b18e25a5a0733cab85dbfbf9019bae3394112e41051a192f2b13
SHA512

e3612be1357832eb161e385e68e244cc11d664bac880ad026271a774436a55f8d30361c7204297d3bf487a0c96b84ab239ea9f2dfe45254bf5cf8f9ee40dea08
SSDEEP

49152:v3P2Qlh/HpHzjQi4lSovRkpk3Im4zMoYeOLM9LyaBr1ccP7rENxefMN:v/3lhpTgFGpMImmYK9zKAc0MN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	567C.tmp

Executes dropped EXE 2 IoCs

pid	Process
2008	567C.tmp
4536	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Sidebar_Admin.job	567C.tmp
File created	C:\Windows\Tasks\Sidebar.job	567C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2008	567C.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4536	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
4536	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
4536	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
4536	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2008	2724	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe	83
PID 2724 wrote to memory of 2008	2724	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe	83
PID 2724 wrote to memory of 2008	2724	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe	83
PID 2008 wrote to memory of 4536	2008	567C.tmp	88
PID 2008 wrote to memory of 4536	2008	567C.tmp	88
PID 2008 wrote to memory of 4536	2008	567C.tmp	88

C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\567C.tmp
  "C:\Users\Admin\AppData\Local\Temp\567C.tmp" --pingC:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe BAC36161A4282D2CC0A7BCED75C80B963028BF3ADF955E6F97E6D19B148010CDB52F68A263FDE3428D6DA1C19A499E15FFD77D7C4698B2AC21AC3A6F14C397F2
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe

Filesize
1.1MB

MD5
cd75d3e263ff0d1d13aad24cdb9f2593

SHA1
cbcf46c2524176ce03cbfdb69017788282e495a5

SHA256
ccac4ef83f1484c207be895e40037f23138d911c1ec537ffd6577ef789c974c4

SHA512
16c489e2a2337bb7d23b5d6507d769a62d2c4ffd6b30c237752ab38c935eb92dcf74c75b972279f95617d82de69f25c53db819ddc1e543e35d89ad0956c3df87

Download Submit
C:\Users\Admin\AppData\Local\Temp\567C.tmp

Filesize
2.3MB

MD5
332e543570dd03d9050a391615c88973

SHA1
23dbc4cf558b55d3d40f25c816a1ce45c467b976

SHA256
5bdb13cdfeb3fa243c12f6242583c0da46ea6112ca84e6d6c25cdb42804b6c52

SHA512
55875046e363545bc524f8d9fe32ec7d22d7ec83a8979242dcfbb5da12089454fd72b45ce4d43144e324b28fb64e804bfa73549c3486ec57d1bf7d5129e72216

Download Submit
memory/4536-15-0x00000000003A0000-0x00000000007B3000-memory.dmp

Filesize
4.1MB

Download
memory/4536-16-0x00000000013A0000-0x00000000013A3000-memory.dmp

Filesize
12KB

Download
memory/4536-65-0x00000000003A0000-0x00000000007B3000-memory.dmp

Filesize
4.1MB

Download
memory/4536-67-0x00000000013A0000-0x00000000013A3000-memory.dmp

Filesize
12KB

Download