bc5fe27278f38d0495faec1beb4be9cc43c120b414a229a97788199e06dc90fb

Analysis

max time kernel
133s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
Size

128KB
MD5

6bc7f14c5e19db79033f4bc04d2b85db
SHA1

5dacec32ea062d0296fc12344c7eead0145195ab
SHA256

bc5fe27278f38d0495faec1beb4be9cc43c120b414a229a97788199e06dc90fb
SHA512

09a6c5dbe1b781b4068be25fad28012871f15bd54e8b0e4cd042c41ce857eedbec96d6434aa79094933879cda6a1c2640f392786257083ab4303710351578bd8
SSDEEP

1536:6Mzna7wzM4jC05OaFE/wvsuYVZGB20O2f58:6GQsQaFEIvXYVZGB2n2f58

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2360	4892	WerFault.exe	104

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	312	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
Token: SeDebugPrivilege	4180	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
Token: SeDebugPrivilege	1844	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
Token: SeDebugPrivilege	1460	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
Token: SeDebugPrivilege	5076	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 1844	312	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	97
PID 312 wrote to memory of 1844	312	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	97
PID 312 wrote to memory of 1844	312	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	97
PID 312 wrote to memory of 4180	312	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	98
PID 312 wrote to memory of 4180	312	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	98
PID 312 wrote to memory of 4180	312	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	98
PID 1844 wrote to memory of 1460	1844	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	99
PID 1844 wrote to memory of 1460	1844	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	99
PID 1844 wrote to memory of 1460	1844	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	99
PID 1460 wrote to memory of 5076	1460	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	101
PID 1460 wrote to memory of 5076	1460	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	101
PID 1460 wrote to memory of 5076	1460	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	101
PID 5076 wrote to memory of 4892	5076	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	104
PID 5076 wrote to memory of 4892	5076	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	104
PID 5076 wrote to memory of 4892	5076	6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe	104

C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312
- C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe"
        5⤵
        
        PID:4892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1096
        6⤵
        Program crash
        
        PID:2360
- C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4892 -ip 4892
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6bc7f14c5e19db79033f4bc04d2b85db_JaffaCakes118.exe.log

Filesize
1KB

MD5
10880773f535dadd6acfbe663394f4d3

SHA1
24b8aa4087d530b740016714ac60413be46ab4cb

SHA256
917e00b99d0b46fdc32f4e0878fbd4df5f3dffc2e7f75a37fd51dbc3a2e69cf0

SHA512
33c10bc835412ead340e2d900c36729915c8cf2578d90d806cd303e8ebb97ff8269439f02ebde5895fbfe836f62b49e9e6b3fee809620d50bd72db239656fad8

Download Submit
C:\Users\Admin\AppData\Local\Tech-on_Tech-off\6bc7f14c5e19db79033f4bc04_StrongName_pdghb5pyrzc4sac4tt2bqizymnit2ksn\0.12.2.0\user.config

Filesize
956B

MD5
ab40ec4fa0eafdda5a23c96ceebc55be

SHA1
c99c9fa288e3f0470a1a01bd4b7a4a80f58ed01d

SHA256
cfeea04a721fc9165651294c8d4ded19d6219d55bfb0b73f9ea9e18a8e553900

SHA512
3cec525871a556110c5319741c515a083a65e954a26e2f105f23dd3b520b4a8e9f2d4471e19ab5b37d733ec43b51b4bcdd1c9ca26603b350659f43f753c2a15b

Download Submit
C:\Users\Admin\AppData\Local\Tech-on_Tech-off\6bc7f14c5e19db79033f4bc04_StrongName_pdghb5pyrzc4sac4tt2bqizymnit2ksn\0.12.2.0\user.config

Filesize
1KB

MD5
d131fb6095266f1da36d5c864a3cb605

SHA1
46529e38b899a3b0b56c4e94ccc593bb18361789

SHA256
9ad2604a115c6f89941f0344460da8c7837e33f13d8a9156937879d2daff6616

SHA512
0de3cd165229631fd3f0f7f57754b76bbb657278d2936018ce7cff19933639a12fd9dfbfb6f25ff1699f9a511f69c1a3c78f607594cbd089e82ab5257b217e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Error.txt

Filesize
41KB

MD5
086238fe0ec060a1c5874c47ec55ea23

SHA1
c3bf77c56d3f482fb978ad40b1875094e1ac9fc3

SHA256
726d3d058a8df470451067d92067d3bc48d589cec5f4abf694bd291fe9612422

SHA512
a2c5eb796fff09b5680b4228d56312267b61bc3ad5b9789c05c8cf9a368f79209cad421c1e541b8dc81f33c9a53b695a7ebf6f21bd6edaad097392e0e25c61cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Error.txt

Filesize
53KB

MD5
399ba11d43fbb8eb1d0f8eff68d9eb20

SHA1
9486e23529387ce40d631873f7eb62e6758ae6a4

SHA256
35f7477697075ead32ae68221e876000afc0bb7ce6df10be2c21b6ab82cbda6c

SHA512
984a4dc80c4a0ddedc2cc7b636d948db8fd56eca332156132b4712376f5bac88016f41e588b2740202d0485e63de5bcb767444772a3a0d1c9fb7c7287f01ec2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Error.txt

Filesize
8KB

MD5
a92b7f637dd4cfb175b3160fa1d56254

SHA1
c32f4dd385beaa3824129651a1497399c76af255

SHA256
aaa61d7b9e1b2b51255545190e0df6c21175524d7d8aac45055a5d4e0cc815fa

SHA512
d17c463b2894eb09bb38dc1884278853158fd2d10e1453585e819134eeb322ebcb99ed45152f9369957a8a24add0dd2430abd989f373d5185d710fff959a5de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Error.txt

Filesize
18KB

MD5
190545d3907a61d3ec4c9a3b3c61a344

SHA1
134c26937a29e5baf643115521fa9ec884487013

SHA256
97386e826606f76d872ace702e9097d63f74af9e3ece113d64aeecfe86139147

SHA512
6c585b675018c33af2844584dcc51b678e9b3deb22f95b00b2296ec390f2400b6e0149aaf97ec0301fa177e8350ee8e5190c17bade63d167aa344b607e9ff22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Error.txt

Filesize
19KB

MD5
f140f0621b50a5f063a239c3274f4138

SHA1
8da0f3812a5651dee2edb53774ac546f567eefab

SHA256
67d97c3cc6c98beec9a6e1b36fd197ad0470f04d2fff2f3950711cedefe57490

SHA512
f1cf012f7cbc8af6e28bbc4eb2f82d513c7f24a81a1f409ef62af8c358fc3f1d142ad6958e792220bbd5685dffc6976cc57899a566b154f051fe8f145cceedd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Error.txt

Filesize
30KB

MD5
c5cd32155ef532fc98be82dc3102b8f5

SHA1
ce661721c0dca877cc7bbafff0cbc22699e197c6

SHA256
14031a599b996ed56cf6a24985dbff06175fd70c23506435988b098b3eaa047e

SHA512
a0e6831a55520f9b2641e82eed3a85c2ea8b6e620c74a77f84f1d6439da0aad5dda9969e656b021fc7d5d383b4e2d30ced718ceabcac475986aec7ca53243d6d

Download Submit
memory/312-14-0x0000000008400000-0x0000000008754000-memory.dmp

Filesize
3.3MB

Download
memory/312-12-0x00000000063B0000-0x0000000006536000-memory.dmp

Filesize
1.5MB

Download
memory/312-9-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/312-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/312-7-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

Filesize
40KB

Download
memory/312-39-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/312-6-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/312-3-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/312-2-0x0000000005330000-0x00000000058D4000-memory.dmp

Filesize
5.6MB

Download
memory/312-1-0x0000000000420000-0x0000000000446000-memory.dmp

Filesize
152KB

Download
memory/1844-31-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-56-0x0000000008810000-0x0000000008B64000-memory.dmp

Filesize
3.3MB

Download
memory/1844-80-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-40-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4180-45-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4180-44-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4180-35-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download