61b97e9e723e86c92b4dadd99394963d49089919bc2deb056907b74837f098fd

Analysis

max time kernel
145s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe
Size

734KB
MD5

05e4a3f1426092bb38bd1fe4caff6e5e
SHA1

8d9effcc9b6cca53318d292b679b5278f24fe21d
SHA256

61b97e9e723e86c92b4dadd99394963d49089919bc2deb056907b74837f098fd
SHA512

a8c23db4f0b7829cf753407d3ac67a0052734f4a3bf7721bdc0c4afae22dec73a3308684812d4ef6cf174f104b9a4dfda647ef97335986ccb05139dc223fce0a
SSDEEP

12288:caekfW9UumdR1c+1SbpqDJ8TCqK3S8ILUytT32OD/91l8AnBjfJr5qbwNauP2hW4:c62UumVcbklh4w232Oh1uAnt15qnuP2z

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AutoUpdate.exe

Executes dropped EXE 1 IoCs

pid	Process
3436	AutoUpdate.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3948-0-0x0000000000400000-0x00000000009AB000-memory.dmp	upx
behavioral2/memory/3948-12-0x0000000000400000-0x00000000009AB000-memory.dmp	upx
behavioral2/memory/1932-15-0x0000000000400000-0x00000000009AB000-memory.dmp	upx
behavioral2/memory/1932-16-0x0000000000400000-0x00000000009AB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3436	AutoUpdate.exe
3436	AutoUpdate.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3948	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe
3948	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe
1932	05E4A3~1.EXE
1932	05E4A3~1.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3436	3948	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe	85
PID 3948 wrote to memory of 3436	3948	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe	85
PID 3948 wrote to memory of 3436	3948	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe	85
PID 3436 wrote to memory of 1932	3436	AutoUpdate.exe	87
PID 3436 wrote to memory of 1932	3436	AutoUpdate.exe	87
PID 3436 wrote to memory of 1932	3436	AutoUpdate.exe	87

C:\Users\Admin\AppData\Local\Temp\05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe" http://lookpcik.com:90/serverlist.txt C:\Users\Admin\AppData\Local\Temp\05E4A3~1.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\05E4A3~1.EXE
    "C:\Users\Admin\AppData\Local\Temp\05E4A3~1.EXE" mudum
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe

Filesize
1.0MB

MD5
ca999433f282a93a69ed38f68d1f170f

SHA1
d3388ca18f0a64867912465a84771cccb6622ea4

SHA256
ca3df853d83d23c03d347388e237cf0579e7984e7280459a1784d25ed7eb3962

SHA512
a28215d61358635ae8e3750c0cc5314f19febd7d60ed27666d02522a7a568f36f368c292098ed56b701e438a820c5a308709ad87cabe1334a7061dd95034d92c

Download Submit
memory/1932-15-0x0000000000400000-0x00000000009AB000-memory.dmp

Filesize
5.7MB

Download
memory/1932-16-0x0000000000400000-0x00000000009AB000-memory.dmp

Filesize
5.7MB

Download
memory/3436-10-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/3436-13-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/3436-14-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/3948-0-0x0000000000400000-0x00000000009AB000-memory.dmp

Filesize
5.7MB

Download
memory/3948-1-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3948-12-0x0000000000400000-0x00000000009AB000-memory.dmp

Filesize
5.7MB

Download