5561e38e23520ee0e034c9ecd94fcf73eed03216a1b458c118704515941528dc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe
Size

1.1MB
MD5

181366d1498ac747f07f0bb05122f209
SHA1

803f6a776f4171ddf425e85c52204c04e1d7ae5b
SHA256

5561e38e23520ee0e034c9ecd94fcf73eed03216a1b458c118704515941528dc
SHA512

7cb1a9e64119bdb389dc57dc69379ffeb3398e07920d5598ffe9ade59a7951d44ad8920b83396cdc0ed8682f853f2243393866f9581f86da7008887b04353039
SSDEEP

6144:BZu9i2ZPJWxEgSgKyHbSkGhO9i2ZPJWxEgSgKyHbSkGhXb9i2ZPJWxEgSgKyHbSr:TEeDSUSkeDSUSXxeDSUS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2512	BFile1.exe
2116	BFile2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4320	2512	WerFault.exe	85

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2512	1200	181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe	85
PID 1200 wrote to memory of 2512	1200	181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe	85
PID 1200 wrote to memory of 2512	1200	181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe	85
PID 1200 wrote to memory of 2116	1200	181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe	86
PID 1200 wrote to memory of 2116	1200	181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\BFile1.exe
  "C:\Users\Admin\AppData\Local\Temp\BFile1.exe"
  2⤵
  - Executes dropped EXE
  PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 488
    3⤵
    - Program crash
    PID:4320
- C:\Users\Admin\AppData\Local\Temp\BFile2.exe
  "C:\Users\Admin\AppData\Local\Temp\BFile2.exe"
  2⤵
  - Executes dropped EXE
  PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2512 -ip 2512
1⤵
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BFile1.exe

Filesize
7KB

MD5
d999da3bbc30e21d4c86c6c5b6dc7826

SHA1
95d67e5a5b7bcb386f6ba197e5c708f9fe6d67b3

SHA256
fd1f9e684b72262cf964f5d1d8961103d8f35a6c4f4e8c4588f26d7c51ee89f2

SHA512
38ca2df0ebd05128368c09a374085086a1c3894e03a9a947a8ffa0d82766e70acb8ec3fbf807ca34d8b2568595cefa1d72cf7a823d92f0cbd509263b46fe5cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFile2.exe

Filesize
1.1MB

MD5
0ec934b0c3fa5ae5725c143cc40d6662

SHA1
e6c8d009d77e833d5fba614d18235bb1d4d48e48

SHA256
e7350e1b83ce8b46848ad91cd4479c34c032a64b5c5b9ecfa471419a3c70780a

SHA512
1597d62331fc8649b42a2e04123b540f8182c702f14c71c84cb4ae9346649e33502af02505f5d4a2e1c58156dbd53afa9a3b33347e667fc411a2c692e02eefc1

Download Submit
memory/1200-10-0x00007FFD8DE80000-0x00007FFD8E821000-memory.dmp

Filesize
9.6MB

Download
memory/1200-2-0x00007FFD8DE80000-0x00007FFD8E821000-memory.dmp

Filesize
9.6MB

Download
memory/1200-4-0x000000001C320000-0x000000001C3BC000-memory.dmp

Filesize
624KB

Download
memory/1200-5-0x00007FFD8DE80000-0x00007FFD8E821000-memory.dmp

Filesize
9.6MB

Download
memory/1200-6-0x00000000011F0000-0x00000000011F8000-memory.dmp

Filesize
32KB

Download
memory/1200-7-0x000000001C480000-0x000000001C4CC000-memory.dmp

Filesize
304KB

Download
memory/1200-0-0x00007FFD8E135000-0x00007FFD8E136000-memory.dmp

Filesize
4KB

Download
memory/1200-3-0x000000001BD60000-0x000000001C22E000-memory.dmp

Filesize
4.8MB

Download
memory/1200-1-0x000000001B7E0000-0x000000001B886000-memory.dmp

Filesize
664KB

Download
memory/1200-30-0x00007FFD8DE80000-0x00007FFD8E821000-memory.dmp

Filesize
9.6MB

Download
memory/2116-29-0x00007FFD8DE80000-0x00007FFD8E821000-memory.dmp

Filesize
9.6MB

Download
memory/2116-31-0x00007FFD8DE80000-0x00007FFD8E821000-memory.dmp

Filesize
9.6MB

Download
memory/2116-32-0x00007FFD8DE80000-0x00007FFD8E821000-memory.dmp

Filesize
9.6MB

Download
memory/2116-34-0x00007FFD8DE80000-0x00007FFD8E821000-memory.dmp

Filesize
9.6MB

Download
memory/2512-33-0x0000000000400000-0x0000000000401E00-memory.dmp

Filesize
7KB

Download