a9004ce06f4dc61a66972a2082ffd7b63614dc7bcb2072e262accbf119da0fc1

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20d3c0daac0396f4e1d96b8550c17896_JaffaCakes118.exe
Size

32KB
MD5

20d3c0daac0396f4e1d96b8550c17896
SHA1

da86a9b13c6fd434e5195e2c1a7aa7a036a1d7e2
SHA256

a9004ce06f4dc61a66972a2082ffd7b63614dc7bcb2072e262accbf119da0fc1
SHA512

ee5be31dd1ef538bc0459fdfac7ff6c63e3af8f0a2dbc46e42d58407c79f469102c19cdda67e3c1a72054f065f4457c6bdda91c004862880f7fa9f27e1820c76
SSDEEP

384:lHNjOwJLA9FNW9ZpvMeRDL0yZLa3RlOKybtMkt4U8Vc9oCcqXlEl:lHNjOwpr90KXvPuUtdQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	20d3c0daac0396f4e1d96b8550c17896_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1140	TempServices.exe.exe
940	TempServices.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1280	940	WerFault.exe	82

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1192	20d3c0daac0396f4e1d96b8550c17896_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1140	1192	20d3c0daac0396f4e1d96b8550c17896_JaffaCakes118.exe	81
PID 1192 wrote to memory of 1140	1192	20d3c0daac0396f4e1d96b8550c17896_JaffaCakes118.exe	81
PID 1192 wrote to memory of 1140	1192	20d3c0daac0396f4e1d96b8550c17896_JaffaCakes118.exe	81
PID 1140 wrote to memory of 940	1140	TempServices.exe.exe	82
PID 1140 wrote to memory of 940	1140	TempServices.exe.exe	82
PID 1140 wrote to memory of 940	1140	TempServices.exe.exe	82

C:\Users\Admin\AppData\Local\Temp\20d3c0daac0396f4e1d96b8550c17896_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20d3c0daac0396f4e1d96b8550c17896_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\TempServices.exe.exe
  "C:\Users\Admin\AppData\Local\TempServices.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\TempServices.exe.exe
    StubPath
    3⤵
    - Executes dropped EXE
    PID:940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 456
      4⤵
      Program crash
      PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 940 -ip 940
1⤵
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempServices.exe.exe

Filesize
8KB

MD5
d9c2b44e52d92393f123bd4a81e01ffc

SHA1
711369b744207457b42cf2c58bd076d3f7f3da99

SHA256
fec0b1ae170aa92382867bdf8a5c8c93d6f4f93837d4c1b3077e469de555da82

SHA512
b3057334ea418a718401b2e3a8fd10c9887a313090cdca59238a55f309bdff1e29e25289c3f7277cd6871791755d8325715ceb50992ee8b827409309452040a1

Download Submit
memory/1140-11-0x0000000000400000-0x0000000000402200-memory.dmp

Filesize
8KB

Download