174e5ed0f4d62078d217dc695a3cefada5a5c9f20f49dc72b8385a9fbf19f4bd

Analysis

max time kernel
51s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe
Size

1.6MB
MD5

ad8996a547faf8c6fc181beb8f56f1d8
SHA1

8b97e2c6cd070654b586f283091964e1d8e18e93
SHA256

174e5ed0f4d62078d217dc695a3cefada5a5c9f20f49dc72b8385a9fbf19f4bd
SHA512

12c7c2215fcb53e3011b0c7a762d7c8ccc80dcdf3938fad00bb7e10eab00964a0399b7df6e10bfd66e90f9193871591e159f9477f1455dd7b369b98104c69270
SSDEEP

49152:/Zgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S92:/GIjR1Oh0TS

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1320	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3752	ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe
3752	ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3752	ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe
3752	ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe
3752	ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 2520	3752	ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe	87
PID 3752 wrote to memory of 2520	3752	ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe	87
PID 3752 wrote to memory of 2520	3752	ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe	87
PID 2520 wrote to memory of 1320	2520	cmd.exe	89
PID 2520 wrote to memory of 1320	2520	cmd.exe	89
PID 2520 wrote to memory of 1320	2520	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad8996a547faf8c6fc181beb8f56f1d8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3340.bat" "C:\Users\Admin\AppData\Local\Temp\ED686D1089274A35989C9B95ED77212B\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3340.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED686D1089274A35989C9B95ED77212B\ED686D1089274A35989C9B95ED77212B_LogFile.txt

Filesize
2KB

MD5
c7dbe33fb5c54449447caaf4233e9dff

SHA1
5d2f0ccdebd13bdabebc1996759e523af852dd65

SHA256
f3551c7b17e043ba43b6bf1017093a33fd19a6cda4d1dba04b74cba3d1444c7f

SHA512
2a4c7284c88a4ca85c52c931677234ade3c1ff821aa053070af22aa8ef8f47e1d753330ab89fac2b314c3baceb8ee54d7dc8533a6e2b589fd64b07d037b5a67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED686D1089274A35989C9B95ED77212B\ED686D1089274A35989C9B95ED77212B_LogFile.txt

Filesize
9KB

MD5
b34174bd2211fd51456bae877d203e94

SHA1
6c9615bb09c093e8f7646f42105a1d0a9fe2b92e

SHA256
398d2df7fddbc2028843975074f6fda1ca9d2fd0538859782373e49872529531

SHA512
d745223cc57e9e1fcb92cd5f049fe5080f7a0845275499c6fc200ca817e0afe62ab993a595326cce927df7fb550d0f80d63a6577863174ec1a406e4d8a76bdec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED686D1089274A35989C9B95ED77212B\ED686D1089274A35989C9B95ED77212B_LogFile.txt

Filesize
1KB

MD5
ffa32f16cc06dd3afea05f0a0a1a830f

SHA1
936e4c9ba71387e30826d21e3f883dcbe52ed322

SHA256
c9fff3655271d8a93a5322c67d23a2e32ce951a9e51ac47041718e3603603e34

SHA512
4be849fe9f9181642ea27915c38582e74bef0584f20855dffe64850d3444608989bee5c7685b14ed03714aa1e001d85ee2772588b3bf75ff1469100c60821626

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED686D1089274A35989C9B95ED77212B\ED686D~1.TXT

Filesize
120KB

MD5
4865aaa254a886e5c0122d9d4bf8689a

SHA1
d73ca40ecec254e3822a05472abbba4fe0200cd3

SHA256
8e2b3ac6ea38cd637325daf967f5ed2ba166ec85ed28c370da77c60d045a966e

SHA512
33d9cba20747f87d672a1133e029e1b8aa548ee74c7b5e1803ff9b2c5c62315bade5ddef47eac89a9a1e5f4c776a2a2f5bcceedd77a3538fdbc7599e75e658e0

Download Submit
memory/3752-63-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/3752-156-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download