aff30ba6b1212f3f41d98357d3b57c43d9ec27e3b7199d9857f4758f79980e3b

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 18:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe
Size

156KB
MD5

426c9fdd58d4e0b8918f775fe2faa490
SHA1

1ad5c2606aa48a5486812f47055eec4036003c55
SHA256

aff30ba6b1212f3f41d98357d3b57c43d9ec27e3b7199d9857f4758f79980e3b
SHA512

cbf271d2c62593d50205ba79289bbb0d2bb4c654a199608dcbfd523407b2cc9b9a74de7be04127abbef44777f3a254603fbed6ca635a6a2624c11f1c9e174a4e
SSDEEP

3072:1fqKqf6UTbQ0XOXVh06/0NEUYynNELl1RAX61qrZLnVnS:hUf6YQlZ/MY2ilfAq1IZM

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
372	426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000233dc-4.dat	upx
behavioral2/memory/372-16-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/372-17-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 372	5008	426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe	81
PID 5008 wrote to memory of 372	5008	426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe	81
PID 5008 wrote to memory of 372	5008	426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\Temp\MT\426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe
  "C:\Windows\Temp\MT\426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\MT\426c9fdd58d4e0b8918f775fe2faa490_JaffaCakes118.exe.2

Filesize
95KB

MD5
8c24ef00eda3db6092cc642a0c114804

SHA1
c6883c2efb9a89a54efdc31f1dd0289d680fdbde

SHA256
36c425e584c86eea98838e88476784da565e103bd1445915a710c2deb6678f0c

SHA512
1c8b497236ec480d0c90acb8852b59f2fe9f714b3033c84f0e209c5fc9aafeabc38014343f4938541cb1d3641ac145468059e385c8752543988140e964241849

Download Submit
memory/372-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/372-17-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download