a5ade73cacf80906a0e898f86bc261f2ff580d34c472ce7914ea987aab5c819d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
Size

789KB
MD5

65df9d2476bb08c5445ba024e5f73a51
SHA1

0da743731b60e43a0f3deebf8e56164134f1b2fc
SHA256

a5ade73cacf80906a0e898f86bc261f2ff580d34c472ce7914ea987aab5c819d
SHA512

aeecae5a8d4795db576eb4a884fd214bac7b5ebb9bbd2f5befaa2e74970b866650b6dc0f6179be75daa53985f3532eb1cff4152e2ef65f9952c536fc09225029
SSDEEP

12288:VtobbXN42nHq+EgqfRAUEcB3gOE6DZlZUXavlXluE70pFdZigcyrG4EEu44b8:Vt8RHjEgYAw1hZlZTWQu7igcyKPEujY

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

pid process

1900 internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
Loads dropped DLL 1 IoCs

Processes:

65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

pid process

3288 65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

pid process

1900 internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
1900 internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

pid	process
3288	65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

pid	process
1900	internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
1900	internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
1900	internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exeinternal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

description	pid	process	target process
PID 3288 wrote to memory of 1900	3288	65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe	internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
PID 3288 wrote to memory of 1900	3288	65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe	internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
PID 3288 wrote to memory of 1900	3288	65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe	internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
PID 1900 wrote to memory of 2320	1900	internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe	cmd.exe
PID 1900 wrote to memory of 2320	1900	internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe	cmd.exe
PID 1900 wrote to memory of 2320	1900	internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\nsd41ED.tmp\internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\nsd41ED.tmp\internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe /baseInstaller='C:/Users/Admin/AppData/Local/Temp/65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsd41ED.tmp/fallbackfiles/'
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2197.bat" "C:\Users\Admin\AppData\Local\Temp\63FBE54324D842F0A2003B8C88D8E0F1\""
3⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\$I8DXAWA

Filesize
96B

MD5
cbff82eccde05805f65aedcbda8a37bd

SHA1
ad16758ed62d94c55dbf27df8368d1ac574ddd3f

SHA256
8268ff31472182745a0345bf2af2d47356b3455530f4ae715d279e55bbc79822

SHA512
5abc94a54ae9f604db2ad38ed28b3a27233686e4529c468c1dccfb44e568fc6e395921f903f7e07e894c2f3ab4abfb948a586a0397a9d8d9ab1ffc400485fd9e

Download Submit
C:\Program Files (x86)\tempo_5626

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2197.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\63FBE54324D842F0A2003B8C88D8E0F1\63FBE54324D842F0A2003B8C88D8E0F1_LogFile.txt

Filesize
10KB

MD5
fcd22e0cd1d7967b5e06e45100f03153

SHA1
e980ae9a034802e0146dde0a03772e18b5755529

SHA256
acf3716ceaf606d562d747b4774440b576a6a2152d3c7a82e22d5286ab1cae31

SHA512
fb17ce6d374c226e678a4ee9dab6969479eab7eebe0df26579d8a5ddf47a82c0b089ee0500e6c0b102afd7ed5e9e1cfe74dbcc2c513bbcbc64852160480bf910

Download Submit
C:\Users\Admin\AppData\Local\Temp\63FBE54324D842F0A2003B8C88D8E0F1\63FBE5~1.TXT

Filesize
108KB

MD5
e76ea84522d7c42b3d963efb8416fffa

SHA1
666bdac937b468fe2246b93aa04ec9cfc42fc850

SHA256
f99f7d45970897e727db4691b76a5094f8c4e3aca392161543d59fe8c1044c58

SHA512
ac15379f82be230c3e679de4501bbf85c3b8590d5127d012833bf0283f987bf1fd5a01104e7f0ec1b50d5be47295faee5fe4043a6b202b2326aede9d36d79c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd41ED.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd41ED.tmp\internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118.exe

Filesize
1.8MB

MD5
9ab5db4bb5971035b4d287d64f9676b5

SHA1
33d17f016339572dd05c124d6243fffefd0cd039

SHA256
f2126481c02d2a5af29e56023902a0897d05867c1caaf8079cf6e1f05dd9b209

SHA512
d36262fdd4d8bd083d8537f0698c423240c9e42b2dc0048e2470d87411f295d6e3428587b76b0486875495d502f1f31f9edf3eb6fdb914f13421b7f29fa5f066

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd41ED.tmp\internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118_icon.ico

Filesize
17KB

MD5
055c2cb77fa2edc2802b7fd397b9c213

SHA1
e6bf5af3427539bf609cfb8904b35803a06104d3

SHA256
78d0ed2288334f341225acee3d6200d01bb0bb80b873c448ab151d0661817bf2

SHA512
7dc2930b9ac4843cca0a073a9195ab0cfb684b29c13622d0f934fb4b4a45af0fbb3a033f6ba31216214a9cbc1966436c36dd065c44b014c5c2a03dfd0b005a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd41ED.tmp\internal65df9d2476bb08c5445ba024e5f73a51_JaffaCakes118_splash.png

Filesize
12KB

MD5
fe272d040e82704707b19bfbf29d65ca

SHA1
460de628ea63986a7e6390a1623d8ba32dc82aee

SHA256
1cb036da61dc7b1ad62280681c724d74cbcc313d530a799728a4d38b4e2b1983

SHA512
8a03f9f3ce7af53b2f119f9bd001ff3fd39f879de88723306e2a6c7e8cae679d2095be6d4520ea24035c86140ef01a178a0b2535674be5c39b8b2dde4d082b1b

Download Submit
memory/1900-76-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/1900-210-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/3288-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3288-123-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download