1ac7beaa0a06a5b69e1ccc706030ddd4d675248f5e54fa150849908e158e2111

Analysis

max time kernel
133s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16c1182bbf3efe14caa8452d67a6e313_JaffaCakes118.exe
Size

370KB
MD5

16c1182bbf3efe14caa8452d67a6e313
SHA1

6d5cc4018d63b374fc0b0000d9c5b622ae646a51
SHA256

1ac7beaa0a06a5b69e1ccc706030ddd4d675248f5e54fa150849908e158e2111
SHA512

f6796d9d1f0d317169256346216ebd107b537908e0af0890414d0d8e0aa6045790d310199e2cca631986aa6e6b14b63b8c523c8c257b483591a75c2d276b8e74
SSDEEP

6144:YWMU84YndcRsn2g8VcYXFQx66iPEXBPkubylI2oF7g4boZxnGPaFYMl+:DOdOsnBUcMZpPqtkuG+dbaFpFYC+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	16c1182bbf3efe14caa8452d67a6e313_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4560	2628	16c1182bbf3efe14caa8452d67a6e313_JaffaCakes118.exe	85
PID 2628 wrote to memory of 4560	2628	16c1182bbf3efe14caa8452d67a6e313_JaffaCakes118.exe	85
PID 2628 wrote to memory of 4560	2628	16c1182bbf3efe14caa8452d67a6e313_JaffaCakes118.exe	85
PID 2628 wrote to memory of 2808	2628	16c1182bbf3efe14caa8452d67a6e313_JaffaCakes118.exe	87
PID 2628 wrote to memory of 2808	2628	16c1182bbf3efe14caa8452d67a6e313_JaffaCakes118.exe	87
PID 2628 wrote to memory of 2808	2628	16c1182bbf3efe14caa8452d67a6e313_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\16c1182bbf3efe14caa8452d67a6e313_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16c1182bbf3efe14caa8452d67a6e313_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\KaspAVP3.exe"
  2⤵
  PID:4560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avp.bat" "
  2⤵
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avp.bat

Filesize
259B

MD5
18147a277fe6555e7fb6b39edb246796

SHA1
beb23a8a0c20405679573dce0efb811fdf9e4d41

SHA256
78a3bceeb63d7157b3434ac32d3650676c8298e0c97ec6caae66ca62698590e8

SHA512
c47144e0ce6b08c27da15163baecda4f620b5af42f538b894739ed3ef48ee92ef26ddfd16b6f580d2f1091a77d9466a00e1dc2978ada569fa9cd9d7a67a89745

Download Submit
memory/2628-0-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2628-4-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download