0cc7214e35136865002b547e1e3e6b0f456599e66deb5d66a912cf11ea197777

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c403b52654cfb843473a6f89615d242_JaffaCakes118.exe
Size

60KB
MD5

0c403b52654cfb843473a6f89615d242
SHA1

e90e095df114765f34330cc8563a85788c1915e3
SHA256

0cc7214e35136865002b547e1e3e6b0f456599e66deb5d66a912cf11ea197777
SHA512

3b4fc3c4a708cfc34dcdeb88f8afa0e7da57be04110980f84ea69e40e5cd0dbb346abf56266c5bf88ea4c57a6d27cc68f45d1e6782010dacc1239a55322944da
SSDEEP

768:/RtPUjKVjl9xw3x6nz7vj1wrlPUV/2KAEH:/jUKJ3zzj1wBsQKrH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	0c403b52654cfb843473a6f89615d242_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0c403b52654cfb843473a6f89615d242_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	0c403b52654cfb843473a6f89615d242_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\server.exe:Zone.Identifier	0c403b52654cfb843473a6f89615d242_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4864	0c403b52654cfb843473a6f89615d242_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0c403b52654cfb843473a6f89615d242_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c403b52654cfb843473a6f89615d242_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
d1550b1f0181597e34d640cf7b85fdde

SHA1
c05209b6a418508575169551bc2d5821dd472fe1

SHA256
9e8716a41d7f155254e2667efb797c53a35b135da2dfd7160b032956bf2a4900

SHA512
ba0834f084d6268ca358e7d9b8e61b1622c92e632035de5359305d193f26d5aad32568bd0fd0fcd8a3fdda846d4a0c817cc227d9cf60a59fbc34039f133f95b3

Download Submit