000425161a16853dc612ba9d628079e35f6ef5dd01cf267f378055a0eadd8b85

Analysis

max time kernel
129s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b052d292c153c0b7d963a2ed79aa811_JaffaCakes118.exe
Size

835KB
MD5

1b052d292c153c0b7d963a2ed79aa811
SHA1

4ba36e72247e4c4c406ca33375cf48ea3b4d9b4f
SHA256

000425161a16853dc612ba9d628079e35f6ef5dd01cf267f378055a0eadd8b85
SHA512

dc78d8fa48ec7cc18600a9f9c124e24f369c81e47bb5181ef6c2f1cb039d44a986d4cec2147d5f400c9f5a1c6dbaef9674c68b5c07df657c0cb9e658db7723a0
SSDEEP

12288:ZqUeYMR8QMWBb4AYaQ7CphMiqsmyyAzGVMjB4b9ASonC0bpMqZ0QgB6JxE:Zg/8GhYrWwbyyx+jBg9zonC0ttZKBkE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	1b052d292c153c0b7d963a2ed79aa811_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1956	SetupDB.exe

Loads dropped DLL 1 IoCs

pid	Process
1956	SetupDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	SetupDB.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1956	4884	1b052d292c153c0b7d963a2ed79aa811_JaffaCakes118.exe	85
PID 4884 wrote to memory of 1956	4884	1b052d292c153c0b7d963a2ed79aa811_JaffaCakes118.exe	85
PID 4884 wrote to memory of 1956	4884	1b052d292c153c0b7d963a2ed79aa811_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\1b052d292c153c0b7d963a2ed79aa811_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b052d292c153c0b7d963a2ed79aa811_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\SetupDB.exe
  "C:\Users\Admin\AppData\Local\Temp\SetupDB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB.txt

Filesize
8KB

MD5
0c394e5a98655a3a57394cce31fe2121

SHA1
5c43a5128019344b22c75a95e4baa7ed14fae61c

SHA256
1e6616c057549cde40de41b1c97084ff8f7ceef5a080c6ef28be241a097ba2a3

SHA512
0eda103628b1bf713ac4c6b275e433fee9146e6652acd0020788715b4d147e150e8665043e6c14010e82840d02bafdbff4479dbbfb241afaed35940d1002ddbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVBVM60.DLL

Filesize
1.3MB

MD5
351bc7471a9874acacf7d386fa8be227

SHA1
ce82d1ccf593088d09694ef90e44c4ea2761be92

SHA256
20cbf8835f6fd3878acacbb7868f7b95a7aae6c2c9d5d0a926337ed31378fa7a

SHA512
650efe6986a8e4dadd5fe8f95812052e047421c728fb61eafaa4512b12a41bab074171a9e7ab56d37c34fe284491d5cd4d60931a004d40115ced80c4cb56bbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupDB.exe

Filesize
84KB

MD5
2740a36997bbab0e92658a2f136dea02

SHA1
4009ab8533c6f60151fcb320f94de872842cb924

SHA256
08194334c5bd08699858f53999c7f110470c0c7807b77e1e5c494cc85dfc9c5d

SHA512
664ce467050a042d076f6ec6ebc321b4ed42576d5aaa8ba6739ecb87da92929fb99d848725a9396d374a47783b5455d9cecbc4025a3e416b06c8de3553714a1c

Download Submit
memory/4884-20-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download