dd6d275f30569f4c32a158dc30ff362eb79647c89f90581093a317cab4cdd61e

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe
Size

1.6MB
MD5

688fc52ad8e156a245cd8e62b78e4560
SHA1

a302cc0ef3461fc15915d0d79bfa2abfb99bc117
SHA256

dd6d275f30569f4c32a158dc30ff362eb79647c89f90581093a317cab4cdd61e
SHA512

0d80d8768ec26c0f476202b7ea643054e5c2c1de587de5d11b3b57e688975980684c8dc2a568edcdf90543aed7d7f569324ac9b4505bcabb047a9402f5e5bba1
SSDEEP

49152:LJwukiAFOrk6TXh1/7xUOLRTlpS+JOiwKTH9f:LO6Tx1DL4Nw

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

pid process

996 688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe
996 688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

pid	process
996	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe
996	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe
996	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

description	pid	process	target process
PID 996 wrote to memory of 3224	996	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe	cmd.exe
PID 996 wrote to memory of 3224	996	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe	cmd.exe
PID 996 wrote to memory of 3224	996	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\22493.bat" "C:\Users\Admin\AppData\Local\Temp\9FB8461D48D24373A5CF4C8BBD023983\""
2⤵
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22493.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB8461D48D24373A5CF4C8BBD023983\9FB8461D48D24373A5CF4C8BBD023983_LogFile.txt

Filesize
9KB

MD5
4f856945d57d59745516cb705fa56e4f

SHA1
ebaf8279433c5937897cc2603c71b6a9adbe3e6a

SHA256
882670812628fa747d47d02648561d80ab95ab5b1d3ee6c88fe0ca91f655eb49

SHA512
9dc34b8cef76cb6d8eb7a1ac42617463abaa75d8d65410b31f6bf2485db9a41379f990b4507a69f910e5721e352a8b70953d5901abb90976f9bd29760697de8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB8461D48D24373A5CF4C8BBD023983\9FB8461D48D24373A5CF4C8BBD023983_LogFile.txt

Filesize
2KB

MD5
a8079a408427fbc9617df080af801688

SHA1
e9d4abbf9881d02c598653313ea7658e172616a8

SHA256
a8b9cbe148e8e5909bfc54cdb80af8991b0b56559fa6247fad4e789efe230261

SHA512
6c0786a4666ce11c0f274ea738e40528d1b27101a8d2791ee21d958e9cb548a63abde669e6c06e24f8a71dc0f764920d397a98fb79e8189e8013bc94e6271d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB8461D48D24373A5CF4C8BBD023983\9FB846~1.TXT

Filesize
104KB

MD5
08192827f7ba1a0bcee01055d24a5970

SHA1
20f88ae76e97bd5826e5abd447428afb17b7511b

SHA256
1c155204698b95c23b6c6a1fc009619fdfc06cc01ffc92a5043d53adefc48519

SHA512
1acb140b0444db24a961ac17fa3e275e4eda2688a3ddc4369ffe618c6b4d64a2909585be22141c0bea49b94910992f0acebe58869fcd338923c6038fed363990

Download Submit
memory/996-63-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/996-182-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download