31fc67e691f97496404ee6db955aecf0ed15a620270637433b7ec182f441e508

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65b8821bec26f4abf1432db31fa8275c_JaffaCakes118.exe
Size

2.2MB
MD5

65b8821bec26f4abf1432db31fa8275c
SHA1

f8078d74f99215df8c3af09c809e0902145edb29
SHA256

31fc67e691f97496404ee6db955aecf0ed15a620270637433b7ec182f441e508
SHA512

aeff427113d366c38cb9c9e0633f2ab8fd7a1576c0fddb64aeb40d1b0aef82e619542600b78a9508f962c12653ca770ec1736466e7cc025792f9e4f58a726727
SSDEEP

49152:2rIDRWlhI7kmA9CVPuPzXrUgW9JLUgF+p:2ORWDI7kXCVPtTs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65b8821bec26f4abf1432db31fa8275c_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	65b8821bec26f4abf1432db31fa8275c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

uninstall.exe

pid process

4952 uninstall.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

uninstall.exe

pid process

4952 uninstall.exe

pid	process
4952	uninstall.exe

pid	process
4952	uninstall.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

65b8821bec26f4abf1432db31fa8275c_JaffaCakes118.exe

description	pid	process	target process
PID 2536 wrote to memory of 4952	2536	65b8821bec26f4abf1432db31fa8275c_JaffaCakes118.exe	uninstall.exe
PID 2536 wrote to memory of 4952	2536	65b8821bec26f4abf1432db31fa8275c_JaffaCakes118.exe	uninstall.exe
PID 2536 wrote to memory of 4952	2536	65b8821bec26f4abf1432db31fa8275c_JaffaCakes118.exe	uninstall.exe

C:\Users\Admin\AppData\Local\Temp\65b8821bec26f4abf1432db31fa8275c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65b8821bec26f4abf1432db31fa8275c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\{D27PLA72-DCA2-5JIA-B8CB-D165ZHUOA25}\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\{D27PLA72-DCA2-5JIA-B8CB-D165ZHUOA25}\uninstall.exe" /uninstall /file"C:\Users\Admin\AppData\Local\Temp\65b8821bec26f4abf1432db31fa8275c_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{D27PLA72-DCA2-5JIA-B8CB-D165ZHUOA25}\uninstall.exe

Filesize
2.2MB

MD5
65b8821bec26f4abf1432db31fa8275c

SHA1
f8078d74f99215df8c3af09c809e0902145edb29

SHA256
31fc67e691f97496404ee6db955aecf0ed15a620270637433b7ec182f441e508

SHA512
aeff427113d366c38cb9c9e0633f2ab8fd7a1576c0fddb64aeb40d1b0aef82e619542600b78a9508f962c12653ca770ec1736466e7cc025792f9e4f58a726727

Download Submit
C:\Users\Admin\Documents\DVDFab Passkey\Log\install.log

Filesize
663B

MD5
4bc01463c7695f5311569d62a98c2870

SHA1
6ef1631dd28ddf2e44505f60e1e28fa5f0636e44

SHA256
b12a3c716f357b951b47ed587984b6c7a359892e80f39a3ff411fd6b08cb16aa

SHA512
e2985aeede6d2ab32e1a7d1b8280654f789bcf03a74fc0e9e49ba0d30d578f7ec07bea5c190dc46d0dcb726742b46f35967b4a72fb77fcf3d59a62bb5b1b2809

Download Submit
C:\Users\Admin\Documents\DVDFab Passkey\Log\install.log

Filesize
270B

MD5
b7c963dae77304b3fed5d9f3062c261d

SHA1
0728e124e0d45e7a8f8850b7592c6a2636951f9c

SHA256
727b3a594ef551196d3c0a324fc2496ab30781646e2632809b87cac7c7cd9379

SHA512
0136e945ec2b30a1ecfed1742457850d2d4a73d7090523142624d960fff01b694b768823cc61bf43ca10bc4095bd2c53cee0481beae61f99e665cf2a950496e0

Download Submit