856be80198034f9fabda3f15e7c17e5bb51fa95b38e5d62f448e4ae59cd6d21c

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
Size

779KB
MD5

b7dc69e343603e99dee4ed51ce39fce7
SHA1

6a5bb8768f434bf3bdbd679ae05377932671de89
SHA256

856be80198034f9fabda3f15e7c17e5bb51fa95b38e5d62f448e4ae59cd6d21c
SHA512

c21212f9d8d389b2fe9acedd726ec4c6a3bbd37414e84ac297a7e36462e17e83404670623d2e913d901247c16e1c7a38b21d6987810e97a3f422237c99b40b93
SSDEEP

24576:WteurdvnsolYQpuMX14GZdvfAe8xDDgHB5LcmrKBD:WVVsJQd1V4N9DY5Lu

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
724	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
724	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
724	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
724	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
724	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
724	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 724	2900	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	83
PID 2900 wrote to memory of 724	2900	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	83
PID 2900 wrote to memory of 724	2900	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	83
PID 724 wrote to memory of 2812	724	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	89
PID 724 wrote to memory of 2812	724	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	89
PID 724 wrote to memory of 2812	724	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\nsl49FB.tmp\internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsl49FB.tmp\internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsl49FB.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsl49FB.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9868.bat" "C:\Users\Admin\AppData\Local\Temp\B2926B65C79A4F879D033A7AF4747AD0\""
    3⤵
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\$IKH7MW9

Filesize
98B

MD5
1a39e4f25cee60d39d82736cdfa469d1

SHA1
a4dbf9f0ccce1b333b6e9ce878463087594af12d

SHA256
d1d29b12d998d6a45908c4f982fcc78dcb431a90b35e23a4a93c1b090090fb19

SHA512
6ed6a80dc52835e7da5f9610176c971f23b689eef7021cd7fd47a7b10bfa6fa171e227e6246b8a322dfff3c993a6855f245916efb8cf9c8a789ea919c1194ed1

Download Submit
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\$IQ5WEQP

Filesize
96B

MD5
e5aa2b4306c9fe8fd8ab53fc28024759

SHA1
49af70127d5fbd0815b486e6c0af41ea2cdf8e30

SHA256
4753c9081c649b235861a8aaf66080c2ba311c047fa4f834bdd72bfed3c94930

SHA512
a053203be9441d775abfc8eceb01c334a0ff6864de71ea91b3ce63b15a779e51d195ac58ff82ce9baf4dcb8736c9efe175538c08204792a952be4dd6d1a47e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9868.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2926B65C79A4F879D033A7AF4747AD0\B2926B65C79A4F879D033A7AF4747AD0_LogFile.txt

Filesize
1KB

MD5
3968eef216fa52352e87d2700bcd3884

SHA1
665dd72a9a2a2fd753d8f96755c5e310f6ce39cc

SHA256
c94aaf46884e86928203cb3ca1ad5934cbe6687edeb493742fc54544a59231d1

SHA512
7bbcc9a99b9b92ab9ae77adebaa5674a0443a2197e277bebbca7836a5258d367ba1739feb668cd41183e754c7e9ae209c828bc0b55b9d48d35932cfe99f379ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2926B65C79A4F879D033A7AF4747AD0\B2926B65C79A4F879D033A7AF4747AD0_LogFile.txt

Filesize
2KB

MD5
831d28f6ad2fd8b8b7a1ed282fe001e3

SHA1
4f222dd884cc8b85a06e82211dc1cc7d44169707

SHA256
b8f65db461c8706ab39fe57948f6b02f39d93e222f8a1888e28c0adcfcaf9126

SHA512
ecc14663f4effa171b181f154b5e5137d4eacf5cf6bf1b665be4b28d44f2f022902d9cf8a4a758de411da44cee06a98dafcad697175ac6f6dd23d28051bb6951

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2926B65C79A4F879D033A7AF4747AD0\B2926B65C79A4F879D033A7AF4747AD0_LogFile.txt

Filesize
4KB

MD5
744f67ee6bc5d6c485703e04209ee800

SHA1
9145decf24141c5761018bcbafb03bb98eaabeb9

SHA256
160be68825d2faa137c1c7efefd4996e531a82045ac86a32cb19d2b255e826cd

SHA512
59d1001402bb9e60fb2c9fd2365881fb2fd4b20be14336a5a9bb5b0be388f256edaaf993fbeb1267b3d243625f4a22000d580b1db783578c7d0751faa3a42416

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2926B65C79A4F879D033A7AF4747AD0\B2926B65C79A4F879D033A7AF4747AD0_LogFile.txt

Filesize
4KB

MD5
b074c8be6c6b07021724b525e8b445b1

SHA1
c54ad412a0ff7111b8f34a40693c14b2e616f72c

SHA256
f9e2d01b2f1abbf62ca29d3522b08116ac85b1dfb99a067dbe8316793b135bb1

SHA512
855e51ffa9660b641fe2fe440e128b246f2dd87ef21719343881cf82e2c9f73f5bf0291a05d5289a5581819db01a70f9e0b67fe067e4b78d3a965fa0aab8f75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2926B65C79A4F879D033A7AF4747AD0\B2926B~1.TXT

Filesize
30KB

MD5
ef7537b3a15c88c603064a8c3673e0fe

SHA1
4bde20c89e11a2648c6673dd9c70c321b2467d74

SHA256
3ab70c7659d0a06313ca682c86be48f8e320d10583f4204bd279d0237bbb82f1

SHA512
2da7e81c78c5a99a54715d0d9b0a50278896a9a8a66f7468f57abfafe679d0f629baa341ef753d618117bc6107a9c2a58e889831e4be3ef2fc2699161f653d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl49FB.tmp\internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe

Filesize
1.7MB

MD5
c4ca24ec91ced69fc98fac6fba21dc88

SHA1
b84f3a1ceef89673e31e0be210eb33d865d60659

SHA256
c690bea2115b2a16e23c845785772d14fdb978d32cb22bbbce83f53673eda821

SHA512
5783d1b8599d472039e9afca35590f76fe8930c73af4fa35fb796e819ca6d7219bd7ba1a0a6bcf3e8d76e9d873a078d74857a2318f8bbc3eca34c051a9ca4d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl49FB.tmp\internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118_icon.ico

Filesize
17KB

MD5
f0b938585d688a56c81a92e16cfcd2fa

SHA1
881e13bfe686092d4ab913698c54a0eca97e8f95

SHA256
f4150b295a647b311d6a63fe7aa39aba115c157050808b0eae149137c4dee316

SHA512
af7b2efde139798c118a34d0ec53475d79048ed966473cb18a64d552c9871411deda6de1e5abdadeec6b71f35099f013265fe3d51490adc55f51166bab8a2973

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl49FB.tmp\internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118_splash.png

Filesize
101KB

MD5
3cb90093892c6fb84a6b16345eec874f

SHA1
ed0f3e9caa22b01d65fa281f539b9a37f82fec3e

SHA256
cbf9cfa4d65f5988c336144ce0d8cba1187cddcecb5b623358c5b95f5d11f674

SHA512
2c0a95c768ab35edd6edc78f01247474bccee0b234a92d793c3b04f160abc3ecd833b0c99065b7619f8e2dcc2dfea540d222c4da66d6030c9d547a91799ae605

Download Submit
memory/724-176-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/724-73-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/2900-118-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2900-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download