fe1c668778bd019e7d884cb9feb60996267856d8769ff6475ef0de191e0b07db

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 14:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe
Size

1.6MB
MD5

8ac58c8c0ab6d90701622ac74a4d60dd
SHA1

258a407d3edc2c1310c142acb0c647c3a911a5c3
SHA256

fe1c668778bd019e7d884cb9feb60996267856d8769ff6475ef0de191e0b07db
SHA512

6d7d85db173b7c05a20f55d4afff3c482265b30196ec34becc0197941e3b5f19df4f69f447c852e4a001afd103d42e97797856650a708d8445fe088052432f2c
SSDEEP

49152:rZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S93:rGIjR1Oh0Tb

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3432	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1192	8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe
1192	8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1192	8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe
1192	8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe
1192	8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2488	1192	8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe	93
PID 1192 wrote to memory of 2488	1192	8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe	93
PID 1192 wrote to memory of 2488	1192	8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe	93
PID 2488 wrote to memory of 3432	2488	cmd.exe	95
PID 2488 wrote to memory of 3432	2488	cmd.exe	95
PID 2488 wrote to memory of 3432	2488	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ac58c8c0ab6d90701622ac74a4d60dd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\14601.bat" "C:\Users\Admin\AppData\Local\Temp\6A0FE892B42F4F2AA099DDD27C3EDB4B\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14601.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A0FE892B42F4F2AA099DDD27C3EDB4B\6A0FE892B42F4F2AA099DDD27C3EDB4B_LogFile.txt

Filesize
9KB

MD5
bdf83157ec367a8471e7f5c50d85bc4c

SHA1
e15dcef77fe8540faaa1ea46c05d8a1f10bcd689

SHA256
6f1a4485412db35ea577c680af276431afecfd852dfa84c2c4f95cd8372032ad

SHA512
c97f0f8e3ed98d7e1fbe6eb4e31b25d68877a952ae375e5270ab571472fcea5b1552faf122ac90c9d88b1b3d4914e679fbeb435250d4ebab6bb67f9a04120e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A0FE892B42F4F2AA099DDD27C3EDB4B\6A0FE892B42F4F2AA099DDD27C3EDB4B_LogFile.txt

Filesize
2KB

MD5
009bab48ebfd723ac72eae4c6a6f1fb4

SHA1
a85bfbe4e9d1e49a7842e00c392a3b94cd2e1b7c

SHA256
c583b91bc7b360df097c4d05354fc3705cdde425cab966c4464053d537738312

SHA512
c66ef50378afb77ce5453a270949ce76e3cc7e3c44042158e7d1ed3121db328e11630f875f43297b2374a6e3d5c9e3b574efa54954b51b67bbf4a9d59b2b59ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A0FE892B42F4F2AA099DDD27C3EDB4B\6A0FE8~1.TXT

Filesize
103KB

MD5
fb901af9b3ee0fe8a677da6cd4f7b4c1

SHA1
274fbb0461e9eb415341efc3c5984e8085bf6799

SHA256
f1b989c43d78fa0974f29c04e00aad2214e21c1af3f44e58e817cb6c55856791

SHA512
ed7cb8bd00f23b09f274ecec3885456e49833628e667ea5ca2c8f1eac0d3c0f74bb825f9aa2d264f103bd9d455d33556b53ddb24ee79f72a54cc15e9c646791f

Download Submit
memory/1192-63-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/1192-183-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download