812c0ef157c5d6a2560f3fb7ec60067dd19bbbf87dd811cf6a1d8a4afb223389

Analysis

max time kernel
133s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe
Size

1.6MB
MD5

6bde4c70d6c9fa329fc1c4d4ac753d30
SHA1

99cf1a2681ac37418acf61d9871a3a6b1ff1a11a
SHA256

812c0ef157c5d6a2560f3fb7ec60067dd19bbbf87dd811cf6a1d8a4afb223389
SHA512

57c1863b708c4d7dd1838a9fb1042217ba44e74257f984de3190f5223e08416573f5921044beb3c0bc117e581f665cb73c5c03bf68a4ba7b8dcb6940c9fc6f13
SSDEEP

49152:jZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9R:jGIjR1Oh0T1

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2888 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe

pid process

5048 6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe
5048 6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe

pid	process
2888	PING.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe

pid	process
5048	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe
5048	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe
5048	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 5048 wrote to memory of 1520	5048	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe	cmd.exe
PID 5048 wrote to memory of 1520	5048	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe	cmd.exe
PID 5048 wrote to memory of 1520	5048	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe	cmd.exe
PID 1520 wrote to memory of 2888	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 2888	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 2888	1520	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29195.bat" "C:\Users\Admin\AppData\Local\Temp\93FF30F86D6E412F90808B14D7AFBB7A\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29195.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\93FF30F86D6E412F90808B14D7AFBB7A\93FF30F86D6E412F90808B14D7AFBB7A_LogFile.txt

Filesize
10KB

MD5
e549c12fe9a46a3a3b435747b4ed5123

SHA1
fc46a5e379b0d6c4fb37566c03b6f28e3cdf83a5

SHA256
bc2adbf6e8e6deac29c36ea6e4163ac26ecbab109fb6745be7519a8ff58330ce

SHA512
8ff9a8ffbab99c71f503ee851b661f3ce716d38834b7ecf116504947fe1942f7bd68e2b6685e0530596c20033e2134c12e8e4c8a85958afcc2532bfe77891fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\93FF30F86D6E412F90808B14D7AFBB7A\93FF30F86D6E412F90808B14D7AFBB7A_LogFile.txt

Filesize
2KB

MD5
5bd3f0d22577dbdd83e0ab924e7f3b32

SHA1
fb3064f9f4788fcf4702e873710181daa99d03af

SHA256
8a042873c5d606b7a777a2771ae889ee904d15633056b8e71967952679990bc2

SHA512
e97651a7f81889ccc5806d2167b28f570f8cd3ebeae7d70888e2a22bdea735c2d4f7e2d814cf1dea31ab203995e2cdba07a7d27650c9ffde34053b927261224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\93FF30F86D6E412F90808B14D7AFBB7A\93FF30~1.TXT

Filesize
106KB

MD5
de19cbab02712b065eea759da3399622

SHA1
3a06d76161b0c714648bf71a835ffa633df58201

SHA256
b0764c687d3cb5058a810a250967429c6205aef7f11da268cbb8a163427e8349

SHA512
02468b02e0ef071c0521268cf5e56918d9dba1882bfbb41ad571af4776b88faa90753fa3520cad646ad4641967efea6fcbd934eb42163d44fde9da6fa22fa6f5

Download Submit
memory/5048-63-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/5048-185-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download