4936f629d967a3f1c3d0e166c23cb89459baf296e27901aa4c63f045451e5871

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe
Size

1.6MB
MD5

a64393b07e9530c7a20e413ab537b720
SHA1

df4a19620ae53978c87674776f058f4b4bcf7a11
SHA256

4936f629d967a3f1c3d0e166c23cb89459baf296e27901aa4c63f045451e5871
SHA512

d3462d57d912d9d74ff97bf98ae6ff5dd857f794190779cda6fb0b99793831136847c3af834c8c85fb098ec65cc1fe081074eaec7fdbc76abaf9b41cf60b738e
SSDEEP

49152:sZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S98:sGIjR1Oh0To

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3360	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4940	a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe
4940	a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4940	a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe
4940	a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe
4940	a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4920	4940	a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe	84
PID 4940 wrote to memory of 4920	4940	a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe	84
PID 4940 wrote to memory of 4920	4940	a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe	84
PID 4920 wrote to memory of 3360	4920	cmd.exe	86
PID 4920 wrote to memory of 3360	4920	cmd.exe	86
PID 4920 wrote to memory of 3360	4920	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a64393b07e9530c7a20e413ab537b720_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\21292.bat" "C:\Users\Admin\AppData\Local\Temp\38755F18AC0E4F6F843C6D9038696036\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21292.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\38755F18AC0E4F6F843C6D9038696036\38755F18AC0E4F6F843C6D9038696036_LogFile.txt

Filesize
2KB

MD5
e6f4cbcd94cb20a8c87d2b9d54675c71

SHA1
14a0f13b6f2701185e0dcb04c40c099b37074de9

SHA256
2eb4d16f15c40bf0d0802053a4f37318c07bdb2087dd40a89ff1f795864c2fb2

SHA512
6df9f910efe28c2dffee4894a2b7c4f6d7e01ebc0b50dbb256d564d744bf70e1bc93e6c7852d8941e6b7120b047c53123078a92a79808f5e8d85746dd9ccf7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\38755F18AC0E4F6F843C6D9038696036\38755F18AC0E4F6F843C6D9038696036_LogFile.txt

Filesize
9KB

MD5
e1f0234f44c697e924683191b1d6a621

SHA1
09a88b1ecf96f060a3f7f2828b13396cdb0cb3e5

SHA256
095712e1d0d83dfbbda0a0d1761f8a4c501299685c826fee1153ebb9199e5ac2

SHA512
9fe3fbbefb39036fb0ddbe86d6ca2d0df09de696a743c59eec57b091e599bde3e56dc71c6ab77fe8a404750bb1e1c0c767924454f11ca0fd507cf22918efb651

Download Submit
C:\Users\Admin\AppData\Local\Temp\38755F18AC0E4F6F843C6D9038696036\38755F18AC0E4F6F843C6D9038696036_LogFile.txt

Filesize
2KB

MD5
97368e935c895e3086cbdce7b6380506

SHA1
8f203c520fa8dcc6ec8ff5d8948aba549f9c7b22

SHA256
a6441b8b16b667a2caa0027e4e16f431b2f40d664f261cb3faa7b8bb891b0718

SHA512
17519cc7ecc4df3f61f79783118314a6a6c733f52ff1c20318b49fb2f24a4ee7325a8f2e1442fdc99a89f0de8430e87de189193fb3ecc1ef5e0b92507fbb2605

Download Submit
C:\Users\Admin\AppData\Local\Temp\38755F18AC0E4F6F843C6D9038696036\38755F~1.TXT

Filesize
101KB

MD5
25d4654a94157d4e8c4ee62a884473e5

SHA1
e60dfdc029e65c874ec8cc40894a47652993f5ff

SHA256
5f770a1e375360a87e434bfbab76779ecb6737c7ad42e09d420e837f604456bc

SHA512
c7c4f883103ef3d4d8b17e5a5786dd853adeb6f28f63485cc274d25d0a1455ef610a12ae31ef83f02711b2489291e8c6e1dc1780d396346769e0a22846e291ce

Download Submit
memory/4940-63-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/4940-182-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download