aea377d46329bf15cb26702e69b2c892740a1e1f1bd6656a9cb15e04f85c5dd5

Analysis

max time kernel
92s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe
Size

1.6MB
MD5

8b66691a3a6c87d11d4964c8fd32b90b
SHA1

49816c72fab22b7a4b6ca59247fea2a9f528689e
SHA256

aea377d46329bf15cb26702e69b2c892740a1e1f1bd6656a9cb15e04f85c5dd5
SHA512

6a4cede2217072daaf1a0a0a5945346c2fa5ccf576da7d3879f1263995e1e8a39d5cac7fc54fcf3fecef93a507f8715648158afc86dafdc4e7da8bd4db3abba6
SSDEEP

49152:HZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9R:HGIjR1Oh0Td

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3996	8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe
3996	8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3996	8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe
3996	8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe
3996	8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 748	3996	8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe	94
PID 3996 wrote to memory of 748	3996	8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe	94
PID 3996 wrote to memory of 748	3996	8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\13450.bat" "C:\Users\Admin\AppData\Local\Temp\EA1C1A96DACE4F91813271A97934ADF4\""
  2⤵
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13450.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA1C1A96DACE4F91813271A97934ADF4\EA1C1A96DACE4F91813271A97934ADF4_LogFile.txt

Filesize
2KB

MD5
6846e46c3323c54a2e943acbc17385bc

SHA1
4d84a2553a592453cdc6e20f3e397c75b02530e3

SHA256
fddf5eb4a01f7c41128d8bb4de661a5d011e11dee3572539475a44106d0a1106

SHA512
25c095b9e7120b0b8de90aa6d7053b2aff88b566d85f04ae440aef7ccccf64f97a201cdc74debc0e381a275eb73f1c0bbb5ab560dddc2d1555600132890b6eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA1C1A96DACE4F91813271A97934ADF4\EA1C1A96DACE4F91813271A97934ADF4_LogFile.txt

Filesize
10KB

MD5
09d18b2db49391770b1e69b838b2ece2

SHA1
d85b753a8d8cc5350bbd997a592eb6a68e610fe2

SHA256
25b653da0add452f8ff90e6258fc61bed90d3e6228f72f67371040bae2b79890

SHA512
c863293633287462b0b9fde1a272f4d658a5f56517485d054469e4779df90af348bb1c147110b52c80cf8bf6141003f8dfe8949d2a856dd21c6739b2decf3cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA1C1A96DACE4F91813271A97934ADF4\EA1C1A96DACE4F91813271A97934ADF4_LogFile.txt

Filesize
2KB

MD5
70c17ba2d24e2773e3321345512b2435

SHA1
7dd55c658f0bd8855c707d2a06c32e5101adb59c

SHA256
779392726ba73ee33ba97c6dff51d214bbac5552fd24c468119c4adf52cb0ff5

SHA512
8ab1bbe2d35eecbd8e0c3abfe641350b90366b6fb58b47f58730a895eb53d8336d712b3524184562532cd230fafa3b864d3caeba5a4f1d2569908738576e29e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA1C1A96DACE4F91813271A97934ADF4\EA1C1A~1.TXT

Filesize
102KB

MD5
6d2001bd712f9bc8f836899c9b5f8b6a

SHA1
2758a150778997ebf7cca268664b0a532dd0cb32

SHA256
ae11dc8e3208ec7e81f2cd86bb288f34062ebcdce2cd3e28227d2660e25218dd

SHA512
04c422aeea74c8c6c6f486e61797973570ce94cf7ac6397a6b9352ebf26103a401272a37a8674e202c848c6dea5a3f7290e38231f3c991d6b7e674fdd05bd3f4

Download Submit
memory/3996-63-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/3996-182-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download