826245a18d2ae0a7ecefbd4dcb092d791c4df814a20d4bf469afd5d53454289a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
Size

762KB
MD5

8836a52aa23cff25eecc6ec8a2dafb5f
SHA1

e0569db5a25ac6f312c650758ed878ced40ace0e
SHA256

826245a18d2ae0a7ecefbd4dcb092d791c4df814a20d4bf469afd5d53454289a
SHA512

53846fa3f7086f60b12071fff33a0582fb7a6372823d332e9815c1db60cf0054608d0f4a4067b49fa4dd9d89e912bfefa575ed1dc19e70d3e4c791b1f3fe9c9e
SSDEEP

12288:ctobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnc:ctDltItNW7pjDlpt5XY/2TkXKza/29Y

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3608	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3608	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
3608	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3608	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
3608	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
3608	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 3608	1320	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	83
PID 1320 wrote to memory of 3608	1320	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	83
PID 1320 wrote to memory of 3608	1320	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	83
PID 3608 wrote to memory of 5092	3608	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	97
PID 3608 wrote to memory of 5092	3608	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	97
PID 3608 wrote to memory of 5092	3608	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\nsx4095.tmp\internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsx4095.tmp\internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsx4095.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsx4095.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10759.bat" "C:\Users\Admin\AppData\Local\Temp\F0652E3A67B84DE48BE98A9994E03244\""
    3⤵
    PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\$I37HBQU

Filesize
98B

MD5
538f0e2cff4a87f6fdb720ac06c382a8

SHA1
51ad98ead2a09e0051aa11114105d094b29d09f5

SHA256
f2968cda13a100f4e6e671f9bfba58d5f8f28c647532e91398c0f6b590bd445a

SHA512
129d304bb7a5e4a6727df8a48297216c46125721e51c94a77429f447fc62527b7b595b011a93d82b493031dd5e5d2577b8ef8f9931bc1bf865bb9e11b1de218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10759.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0652E3A67B84DE48BE98A9994E03244\F0652E3A67B84DE48BE98A9994E03244_LogFile.txt

Filesize
2KB

MD5
92d7d28c0acf500a1aeb722271579fed

SHA1
20f53b47cc3813ffb69e980ddede683d93e164e3

SHA256
d1cad0d0526d10efbb016264a83ac31f3127d03f5cb20e8a2429344a80a06b79

SHA512
b501da0789e1db253840512e5d376fb17234944c0d837281f6414a8f06d6969b9a60cd7b527134ebe35878f7e289201eeec4437021997ba2f6d9c43e46a11609

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0652E3A67B84DE48BE98A9994E03244\F0652E3A67B84DE48BE98A9994E03244_LogFile.txt

Filesize
2KB

MD5
b7d3a756797bf708bb4413054428a355

SHA1
f8c8a743452e9095b36b6c5d54272f91ba1c9b8a

SHA256
f77a3dad8ef06092982f602124afaea3e1b16a8b5b4c206423e2ede3cb9cecb9

SHA512
4116d28c27c38c0394a0a035d1ef5930a2d59525cf7aab598ba9d044759d44388c3e5c568e5b80c423bbcab7b7fd56cbd367cf05f6835e46bcee558c036fb329

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0652E3A67B84DE48BE98A9994E03244\F0652E3A67B84DE48BE98A9994E03244_LogFile.txt

Filesize
3KB

MD5
f17378d1b0cfb31b6f7c0c6afdeb3ab9

SHA1
be0a8c62a5a288508c3268af2bfb9c80a9d3e816

SHA256
2cda5d940c859356097dcda8bf7fff5ef5c09aa97ae728411e004b50991ff0eb

SHA512
0333fbceda8ba6b48f8a047c4c3333476af16b66d003f5e17ff20d9392c0b3ad4592086bf4dc11167624c8a03cc98a2b312c82ca5517f6a196ef7bfd53815cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0652E3A67B84DE48BE98A9994E03244\F0652E3A67B84DE48BE98A9994E03244_LogFile.txt

Filesize
4KB

MD5
8c1fda8e9ec8ae41cd85e906cfb92a99

SHA1
fc4d3e1242a68ab66c88f1fd47915f92e011f02f

SHA256
206ca33d77256761cbf10627380510a5d0d5bd330cbaa8a76d7f2963ba908266

SHA512
efa0289b0ed61eac41f24a6489fbf33deb08de25d247bd2e78cf3cb67c20c71c098bb99a1fb9a978da120d7f614b07abcb59cec33e89a75c50a4fdf375a9fb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0652E3A67B84DE48BE98A9994E03244\F0652E~1.TXT

Filesize
27KB

MD5
f744db44c17b586788ed1bd9a1f3a88b

SHA1
c67353f855ab528720f6ab0f109874ac0b7541af

SHA256
2fef61f3ca1e1bc0a4fe56ecc7b81a6c27bc004be7e3b92b556ead890b19e98a

SHA512
88eae103fc84d71dfcdbc87316aabdddf7f089139e9b46bcc095ed29dfc3094c31c0732dd2122d1bc34028f56d4972e11dcfc2d26986c84d2927f8825b1553d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4095.tmp\internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4095.tmp\internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4095.tmp\internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
memory/1320-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1320-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3608-206-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/3608-71-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download