a63b2a30267f9f805e0f2bc8a4e0d678255f954feac6abd1d20b4cf6b66eb129

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe
Size

1.6MB
MD5

b51bbbf66d072c5e5f1a317470d22047
SHA1

678f95e2a0ff266c59a14f17d1598b964be9411e
SHA256

a63b2a30267f9f805e0f2bc8a4e0d678255f954feac6abd1d20b4cf6b66eb129
SHA512

43044574adface453e7280dd18bf2e7e3d3f5a7f675ad0577f9967779b95fe60dafca8b167992481d2c9c3fea148a8f64c96135729c81cbb7940e08bf7b8f629
SSDEEP

49152:OZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S98e:OGIjR1Oh0TT

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2576	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1568	b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe
1568	b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1568	b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe
1568	b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe
1568	b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 3388	1568	b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe	87
PID 1568 wrote to memory of 3388	1568	b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe	87
PID 1568 wrote to memory of 3388	1568	b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe	87
PID 3388 wrote to memory of 2576	3388	cmd.exe	89
PID 3388 wrote to memory of 2576	3388	cmd.exe	89
PID 3388 wrote to memory of 2576	3388	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b51bbbf66d072c5e5f1a317470d22047_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\13922.bat" "C:\Users\Admin\AppData\Local\Temp\7A2C0A4B17964B16BE3F11EF133F6783\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13922.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A2C0A4B17964B16BE3F11EF133F6783\7A2C0A4B17964B16BE3F11EF133F6783_LogFile.txt

Filesize
2KB

MD5
13a1c40b292dee4209eb2b545482de73

SHA1
5a7a3d6ee3af2c6baabbe9ea1fa5638ea860bc03

SHA256
d13c539bf961f1716b3a477e934b602dc27730fd794047dc4be524cb52e199a5

SHA512
e0100b7414750d7c1fcc4be2e8c95ae81a0df93da0bb7cd8220a85dabb5dbeae10ceb24769260f1cbb53894a90015fe8e7191bd184e244c58edb5edb8a5529bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A2C0A4B17964B16BE3F11EF133F6783\7A2C0A4B17964B16BE3F11EF133F6783_LogFile.txt

Filesize
9KB

MD5
816f5753ac04efb8e2b0388d6699eca1

SHA1
05f80ddd7dbd53630ef6071107f7f34f2a31abb3

SHA256
f2dea7776c594f85fc81fc13eb4822edbbd84fd3f64b22f3192e344a76da6fc8

SHA512
e1100a748d9fc3adb4a0eb938e0d2c373f3af810d4766da3dfdcccdd70f70776941963eefa1669a61e1f1497de8d4463f6c8db1a56f30deff2cf736d643bef4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A2C0A4B17964B16BE3F11EF133F6783\7A2C0A4B17964B16BE3F11EF133F6783_LogFile.txt

Filesize
670B

MD5
2b8f1398c8b4bc381f2e92adac81b00b

SHA1
6f2a97b884ae81be003a5263d6ccf6cae1a16628

SHA256
c11d4fe62ac8b901bbdaaeff4dabc72496ab4714949fd606a71e5db08667058d

SHA512
c3522650accc0a952f9a6aaa341e48c1febd19255bb4a64f372d58fac23ff9f1459f715dd1c8f6202b841b6628b51225325fbe890eed36a19148b0c61dc65656

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A2C0A4B17964B16BE3F11EF133F6783\7A2C0A~1.TXT

Filesize
119KB

MD5
76eba2ac2075a764db8e06e4709ab072

SHA1
080e4d05178f4e876609e369fd376d59125bd18c

SHA256
82453cb9ad7432d17e3d162f7f25644964e81fc877cfc06d329851fec5a6e7e9

SHA512
388817353e146036dea5f059752e531dbd471edc1b70682bacc840a165788d1f3412a54b030d2afd23e297e838cdc9a3248d05fcae7f35ee669d9fc0118fbb63

Download Submit
memory/1568-63-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/1568-157-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download