af25c48450d230b9ceddf91f075010b3906a260f56b1eb8184352b045ba5e361

Analysis

max time kernel
13s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 11:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe
Size

268KB
MD5

225145089ca646aed9df2e68c36c75d9
SHA1

e0a65ad02ced069120afcd06690da5dc32da88e1
SHA256

af25c48450d230b9ceddf91f075010b3906a260f56b1eb8184352b045ba5e361
SHA512

fbfbe4353888532686f0bdb9d87f1aabf952f8db657b36a825242cede9cf834bb536824e0eeaa7ce889b9d96a2dc6488ab8aa6b5e7cc7511fa5855d02b6184ee
SSDEEP

3072:A3so3v+IA3xZI0eyuhDpY05aXUHSd9MNrrkdGEwS:A3RA3xZIPyipYburQdGEl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1800	rcryptor private.exe
4824	autoexec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\autoexec.exe	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe
File opened for modification	C:\Windows\autoexec.exe	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe
File created	C:\Windows\rcryptor private.exe	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe
File opened for modification	C:\Windows\rcryptor private.exe	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 1800	3684	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe	81
PID 3684 wrote to memory of 1800	3684	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe	81
PID 3684 wrote to memory of 1800	3684	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe	81
PID 3684 wrote to memory of 4824	3684	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe	82
PID 3684 wrote to memory of 4824	3684	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe	82
PID 3684 wrote to memory of 4824	3684	225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\225145089ca646aed9df2e68c36c75d9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\rcryptor private.exe
  "C:\Windows\rcryptor private.exe"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\autoexec.exe
  "C:\Windows\autoexec.exe"
  2⤵
  - Executes dropped EXE
  PID:4824

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

91.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.90.14.23.in-addr.arpa

IN PTR

Response

91.90.14.23.in-addr.arpa

IN PTR

a23-14-90-91deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

91.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

91.90.14.23.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\autoexec.exe

Filesize
21KB

MD5
ceeb60688138550754183e51597fdbaf

SHA1
bd6a181be27091fbffdc777ef0eb25e0dbf12228

SHA256
318a59e15a43867107e94ee32d64ee40b1034e90869796bf0b4d436b57d74f38

SHA512
2d4c08c461c70ecdbf97d9ef0a2bf9e62ac87554bc167829cb762f499839070c8c74e50d89d77774e91997a9179a013f5a0ea3551a656e9af56f02cab406d3ef

Download Submit
C:\Windows\rcryptor private.exe

Filesize
216KB

MD5
e88d9b2d61b77616fdbee3775913afaf

SHA1
6682c1ebdd3b6f844a38f57e69477d894a81b101

SHA256
21a5112e15b3ef0f0caf5f9cdb2ea05ad9e35b72c7ecb9b5522aab5856fb7a60

SHA512
169a24f774ae1ebd6420ee0a794f55c0231aed0996a1579f46f714c6bdb0a72c6d66c8af8a2dba976bd3e04f80ac0bb52cf3eeef64ad28660511f33e3abdb83a

Download Submit
memory/3684-17-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.