613f3b76cd41db829f79178b642d4ad2572f1e7f1942681f3b44b81c7877872c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe
Size

1.6MB
MD5

68c087f1601ab51088558b5a8f643a84
SHA1

95014992739f47066c6699d28f2e98473a72b070
SHA256

613f3b76cd41db829f79178b642d4ad2572f1e7f1942681f3b44b81c7877872c
SHA512

4a5e107837492df8eeca5e250712194f54b67fb917bdcd4f150ffe0f72aa174ed5c4d848f1008acc5253bf8936ee5d5bf591b55e8635bffdbc26f5b4a1926f91
SSDEEP

49152:nZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9W:nGIjR1Oh0Ty

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1712 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe

pid process

1372 68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe
1372 68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe

pid	process
1712	PING.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe

pid	process
1372	68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe
1372	68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe
1372	68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

68c087f1601ab51088558b5a8f643a84_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1372 wrote to memory of 2160	1372	68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 2160	1372	68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 2160	1372	68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe	cmd.exe
PID 2160 wrote to memory of 1712	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 1712	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 1712	2160	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68c087f1601ab51088558b5a8f643a84_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27003.bat" "C:\Users\Admin\AppData\Local\Temp\85F8A131FC4348479AEEF145A837E29E\""
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
3⤵
- Runs ping.exe
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27003.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\85F8A131FC4348479AEEF145A837E29E\85F8A131FC4348479AEEF145A837E29E_LogFile.txt

Filesize
2KB

MD5
1e27d3ff8419a860c99019136160a83b

SHA1
76ce7071c73201b81502d1b5bc58c59a79e57239

SHA256
a6ba2ca2884d247bec6e7c78322ed988ada2200f62e73dbbc554ff019c05c71a

SHA512
01262dd39b4584a00fbed53912ffe91ca840db9e70f60472759b263d3aabeff649edac42714e4ddc89b604ec10905db1fd5e81f1258427e34d4095930842db3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\85F8A131FC4348479AEEF145A837E29E\85F8A131FC4348479AEEF145A837E29E_LogFile.txt

Filesize
9KB

MD5
70181288ca5eff776abfc6cb1f2a75ef

SHA1
584c2916935889b7775bb5b63bab2033adb3afa3

SHA256
b2716865f74ac59ebed7a5012c2edb291a555078915b4292dad355d69e7d9f0b

SHA512
16ece902b6e5881587ef02d8db0b8fb0292787b5b1af3708d49fa583b42d2887f24072c6072fd9df241f00e0d29af32952eeb0e86f23f552eaf3fc9ded8cfa63

Download Submit
C:\Users\Admin\AppData\Local\Temp\85F8A131FC4348479AEEF145A837E29E\85F8A1~1.TXT

Filesize
106KB

MD5
145c6ed45beb4a4da6eacfbe137c0acf

SHA1
0759b3169d56128038dfa9e7e03e0a76d449cb26

SHA256
2dca081a868dbb782fa15415aa50c4fd083242b87da2ef7bbfba00e8e6db18b7

SHA512
1441e093c60d1062a1bbfc78ce23d6493f46649577bcf391868e3547394b0766d32b88f4a6d0d88e7d8026aef153769918e8fc5fa3a2a309c22ce22330af948d

Download Submit
memory/1372-63-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1372-184-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download