0e4236cdaf1bb3240aae3113ebf0dfc235cb59b80141e442a85add5ded908e07

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f7dd5ca7af4a7b7354bc21b67e910f0_JaffaCakes118.exe
Size

51KB
MD5

0f7dd5ca7af4a7b7354bc21b67e910f0
SHA1

8d43534f6c0d65044a7f7c6688d71ea397542bb2
SHA256

0e4236cdaf1bb3240aae3113ebf0dfc235cb59b80141e442a85add5ded908e07
SHA512

0a66bd5cef74ed27da6e607a586a34add742afd453416f71f9d3e04da2080b7ed1c81b50886a15b3447b54f90ae8dd65d62b8f92ca67e358896169c666da253f
SSDEEP

768:EyW1yBtObv0U/xwPp0EoooiYECG2nZF5sZVcmxMbR:24Bobv7aB0EooYEC3rUVcY6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	0f7dd5ca7af4a7b7354bc21b67e910f0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3976	zbhnd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 3976	4840	0f7dd5ca7af4a7b7354bc21b67e910f0_JaffaCakes118.exe	83
PID 4840 wrote to memory of 3976	4840	0f7dd5ca7af4a7b7354bc21b67e910f0_JaffaCakes118.exe	83
PID 4840 wrote to memory of 3976	4840	0f7dd5ca7af4a7b7354bc21b67e910f0_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\0f7dd5ca7af4a7b7354bc21b67e910f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f7dd5ca7af4a7b7354bc21b67e910f0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
  "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
  2⤵
  - Executes dropped EXE
  PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
52KB

MD5
660881377e91d9b1cf5c624bc9a3b0cd

SHA1
84b3b4fd25d7813b1933f2b4d0e01f8114947f3a

SHA256
7dad2ad79dd7e4dd8d0bd91473e04c0dbeb2b3b4d4bed26851736f95e524e1ea

SHA512
bfb69be7f567bfc289f315a10ab27bbf3ed367da40f43ea09f7efc7aa670983bfa057b4eab4bd859c006a259559f5bc916f8a166df09383ea3fabd310d6882ea

Download Submit
memory/3976-15-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4840-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4840-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/4840-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download