448503a54b7884e050378fb717a3e5bf590c03c31693b6a773afe0e35e9fcc1c

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
Size

762KB
MD5

a2fc100d7e3f231238e49978dfc1b828
SHA1

362a9e6f6db68c3dbe7b56651e1c5f28a094ce64
SHA256

448503a54b7884e050378fb717a3e5bf590c03c31693b6a773afe0e35e9fcc1c
SHA512

da7a38843350966ae11e652c156f807d98b79b622bbc5f2c1bab1fa0a340415f43ed30123d0c8b5e55161fde23ab8c3bffbbf061f644ab649ed351a2038f4c26
SSDEEP

12288:AtobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnI:AtDltItNW7pjDlpt5XY/2TkXKza/29s

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3520	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3520	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
3520	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3520	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
3520	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
3520	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 3520	2504	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	81
PID 2504 wrote to memory of 3520	2504	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	81
PID 2504 wrote to memory of 3520	2504	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	81
PID 3520 wrote to memory of 4752	3520	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	88
PID 3520 wrote to memory of 4752	3520	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	88
PID 3520 wrote to memory of 4752	3520	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsj4FF7.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsj4FF7.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\329.bat" "C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\""
    3⤵
    PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$IE4Y6WS

Filesize
96B

MD5
ca6b6b792b26a2c1dbb943f8745263fe

SHA1
799a7a852c272a41c35f6682de86d074caf45ccd

SHA256
7aab3f2f35b155dbbf99a9cf503029c9c6171067fc4e040e6cb2d8242d622943

SHA512
b979cde0a54d7ad3021495a8faab7f1ba39ba873b948d66110ff1132bfc824f3d16b91ca59b556b5bd19cdc24d9cb6cacf00f30ef3c71c77c13102dc23e7df4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\329.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D5948954A468D344C4E535A5BFB_LogFile.txt

Filesize
1KB

MD5
dced3f8774dfcc826bd944430aef9071

SHA1
f72ade12a2e57e5c01caceb58de56fcbf7640fa9

SHA256
bd247889b6fd96ea7da00ad179e6fa838827b1d85678940bce4938a8dbbceb2b

SHA512
4f6d9ab285966a1eb7e0a60e084df3d0b2b114ff4c8fdfd77d07d279d095026755dfed761ae774b67d58fd90bd82c89114985e926638d57a82537318ca2195c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D5948954A468D344C4E535A5BFB_LogFile.txt

Filesize
3KB

MD5
b1813a3408e3ca0735e916b607a82e56

SHA1
fcd381ecbc12c031656d5d30494723debbe3f924

SHA256
7a4e7e1b282cf434a1ec621290c0be82454787ecb52360033d8d449f5e0e8ea6

SHA512
5e1d2ffdca915e8d584045fab5e35ce3ab417fe9f344487553e6fd54dc3b67a70e298414241725495fabf6445046a538e33dcc699a5365bcb80a773319918237

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D5948954A468D344C4E535A5BFB_LogFile.txt

Filesize
4KB

MD5
7e5ff05f06f4fa125edaa71366252251

SHA1
133c002508798c98257a089f8fe43483ecb054a3

SHA256
8c04008b48ede53cbeb500ab829629ca3f742fb25112c50565315439062b18f1

SHA512
8aaad242e343cad0e890c0a2e42b0518c74e52a8366318fd86e1ae9320b345e11f71a93ee03e495f2ff526f8a05021a03aad52cc548978a617be7b203cb03068

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D~1.TXT

Filesize
30KB

MD5
0cc809e220065aa72fb4119ec3350f24

SHA1
9d58efb3d439f6c9e47c252ccb368d6c289045cb

SHA256
0ba62c78e5c16e75c096979c0ca6175f5c17eab3d8491c58ca37f79098a3c836

SHA512
316330a13501cdefc4a108f2e9ac47429862e4119106028031da6dd78272bbd00e25c19e8e8f9a2e45b50d63aa1f1abad3bc58c379bc67bc60b7741a44ef0de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
memory/2504-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3520-73-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/3520-177-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download