4cd5e9da03cf453504bd3d4f48dd4263b27176d9fd1c66492d69ac8547ac254b

Analysis

max time kernel
97s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4c463403e28d202d08d418caead6491_JaffaCakes118.exe
Size

762KB
MD5

b4c463403e28d202d08d418caead6491
SHA1

d5827a9d8081d7ebd908241d95a456192121a729
SHA256

4cd5e9da03cf453504bd3d4f48dd4263b27176d9fd1c66492d69ac8547ac254b
SHA512

68c0887aaadb9fb987dc16a9aa50cfda70611978f67ea8fe21e1e4dd14557416d74bf3420f422990f66f7d1db084beb96b5f467eb2f19d9416ec9149401a1268
SSDEEP

12288:YtobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnA:YtDltItNW7pjDlpt5XY/2TkXKza/298

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3664	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5028	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3664	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe
3664	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3664	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe
3664	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe
3664	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 3664	2460	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe	81
PID 2460 wrote to memory of 3664	2460	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe	81
PID 2460 wrote to memory of 3664	2460	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe	81
PID 3664 wrote to memory of 2312	3664	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe	86
PID 3664 wrote to memory of 2312	3664	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe	86
PID 3664 wrote to memory of 2312	3664	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe	86
PID 2312 wrote to memory of 5028	2312	cmd.exe	88
PID 2312 wrote to memory of 5028	2312	cmd.exe	88
PID 2312 wrote to memory of 5028	2312	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\b4c463403e28d202d08d418caead6491_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4c463403e28d202d08d418caead6491_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\nsq3B46.tmp\internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsq3B46.tmp\internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsq3B46.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/b4c463403e28d202d08d418caead6491_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsq3B46.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7774.bat" "C:\Users\Admin\AppData\Local\Temp\5CA034DDF1AE468DB816DA27402C2A48\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-200405930-3877336739-3533750831-1000\$I2Z5YOF

Filesize
98B

MD5
cb614f59689f95756f546971bef65d8a

SHA1
d7b903b738540d866af0f32ec7907f254e209dd3

SHA256
a5be04c4798c6a4efb3b2982651d0053439c7023d1e85a39592264154f2b13b8

SHA512
18474d3a8923196586124b50f8eff79fed4eb9570170375c0d9e2dbddf8d206661957cfdc75429ebfd2b02a0532aaf3ed6fc0bb8aec5c366693a07b47cf2e1c0

Download Submit
C:\$Recycle.Bin\S-1-5-21-200405930-3877336739-3533750831-1000\$ICLXC68

Filesize
96B

MD5
966865fb89f0c4acdd31e4c58984e53b

SHA1
2d4a44b252a125997129e2ddab70ac538626e1a5

SHA256
9f42e430d78aafe8ed45d6d76d286cc34fbb3134e0ac2c5b2362718d26820d41

SHA512
7cd098499e5660c49611d9a174c8bec291d32c8239df870e06a25fcedb285f3ed25c435571dd92e16ad3845a4ee0ef86d4929d21f3f2fe8d52b9aadf1706288d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CA034DDF1AE468DB816DA27402C2A48\5CA034DDF1AE468DB816DA27402C2A48_LogFile.txt

Filesize
2KB

MD5
0dc9ed4c3dc395f1918fe23b54a9fd01

SHA1
7747d7a1ce257b901481943276698dd51f843e91

SHA256
58e4157d3ebeba9aca17522f68f5a6607eb31097aa4cf9a900614ae251fcc92d

SHA512
64b6d266d43078e12aecc31d9f2d8a1043b2fbe31fc0d3454805613e32b1294c38eccfb948471dc6a736dabdd9ce252700fae8e2df158d9e86f8d8690662016e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CA034DDF1AE468DB816DA27402C2A48\5CA034DDF1AE468DB816DA27402C2A48_LogFile.txt

Filesize
3KB

MD5
469399241d44e4e795748dd9503e9cdc

SHA1
dd1184d6f73da5b735e789d2981f5c37a4fcb5bb

SHA256
5cca5929d8607d436e21c7024c5266e82c0ab159ed400af94138729acf63f44f

SHA512
081218f8ef5400b7e937dc72c1f22188500d9d05e6391d2c809dc50afc740d4533ee245c40bcd64425125b32c428829692e996fbd6b016220b434497948bddbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CA034DDF1AE468DB816DA27402C2A48\5CA034DDF1AE468DB816DA27402C2A48_LogFile.txt

Filesize
4KB

MD5
531b0f22f1f619c10390b83f1af2f406

SHA1
88f69ad749c8b0c9745fca7a320052ca272345ec

SHA256
ac4a01fd3ee35d2be7d63033207db3f105fa039c779417304725759183fdf54b

SHA512
57a52fdab24ef7e8aa6ee6775dcce08e2b2d3594d586665c6a1f62f76ad9b0352e63cd9a69b69fe745c30f13174d5ded560a243ec78cf52e7021f2fdeb700f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CA034DDF1AE468DB816DA27402C2A48\5CA034DDF1AE468DB816DA27402C2A48_LogFile.txt

Filesize
669B

MD5
0a6bf6ae4e80ca3e224bdecb0ded091e

SHA1
55d96e518b1105578b83fab52edcc2aab005e17f

SHA256
ce3066373f9a0f9401d09c300fc6f806429be06dfb5d537692af50463da6d37b

SHA512
4d160764bac9d9c00e7a928bdefcb6d731405b2007cbfe3a9c7e91fd45fb5acffd818b507ee27130f5e1b8c5c07930ac80c74047535f6fd3b330f3492f2dc417

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CA034DDF1AE468DB816DA27402C2A48\5CA034~1.TXT

Filesize
27KB

MD5
da86e9ed9fd34c8050dfd687b37c531b

SHA1
2b7e5cb0472609e569272597fe72704b6cecb28a

SHA256
1af1a328ae1f7404bace78fe7a066060e855dc7113e151a3c8525f88d1426f20

SHA512
fa5aaf16f1156950bfc6ffa585f4c03e6b61d8083e296ad95f26df1426ae6e4509f9320bc29ba909607e05ae816eb6a9cbfb4faeb1c1d82674d22e2f7cca769c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7774.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3B46.tmp\internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3B46.tmp\internalb4c463403e28d202d08d418caead6491_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3B46.tmp\internalb4c463403e28d202d08d418caead6491_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
memory/2460-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3664-73-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download
memory/3664-202-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download