461483fafdb9c48dee3b902d6f36b239fce68026abe11a01eca6314e9584e334

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe
Size

127KB
MD5

2b68837db9de8dc4868b847fe774be21
SHA1

5b267c68d86cb57646a9c765add756cb65ca643d
SHA256

461483fafdb9c48dee3b902d6f36b239fce68026abe11a01eca6314e9584e334
SHA512

733899d7f0278b9611daa3b41f2b4ebaffcb7d7a185e5b28ff4c7e9ae345a36957feb57323a8b3927166dec997febc46c97adb19f7496b9296312ab0645549b2
SSDEEP

3072:tWIVzl1GSJLLpgmGj8g5ZQXMmwI+QXMmwI2m:gIVzl3LumGGMazMa2m

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
32	DelCF66.tmp

Executes dropped EXE 1 IoCs

pid	Process
32	DelCF66.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4644	4316	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	82
PID 4316 wrote to memory of 4644	4316	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	82
PID 4316 wrote to memory of 4644	4316	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	82
PID 4644 wrote to memory of 4184	4644	cmd.exe	86
PID 4644 wrote to memory of 4184	4644	cmd.exe	86
PID 4644 wrote to memory of 4184	4644	cmd.exe	86
PID 4316 wrote to memory of 32	4316	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	88
PID 4316 wrote to memory of 32	4316	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	88
PID 4316 wrote to memory of 32	4316	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	88
PID 32 wrote to memory of 2156	32	DelCF66.tmp	89
PID 32 wrote to memory of 2156	32	DelCF66.tmp	89
PID 32 wrote to memory of 2156	32	DelCF66.tmp	89
PID 2156 wrote to memory of 3180	2156	cmd.exe	91
PID 2156 wrote to memory of 3180	2156	cmd.exe	91
PID 2156 wrote to memory of 3180	2156	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c a.vbs
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
    3⤵
    PID:4184
- C:\Users\Admin\AppData\Local\Temp\DelCF66.tmp
  C:\Users\Admin\AppData\Local\Temp\DelCF66.tmp 256 "C:\Users\Admin\AppData\Local\Temp\2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c a.vbs
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
      4⤵
      PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelCF66.tmp

Filesize
127KB

MD5
2b68837db9de8dc4868b847fe774be21

SHA1
5b267c68d86cb57646a9c765add756cb65ca643d

SHA256
461483fafdb9c48dee3b902d6f36b239fce68026abe11a01eca6314e9584e334

SHA512
733899d7f0278b9611daa3b41f2b4ebaffcb7d7a185e5b28ff4c7e9ae345a36957feb57323a8b3927166dec997febc46c97adb19f7496b9296312ab0645549b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.vbs

Filesize
22KB

MD5
0a4899d7995aeb9b8263f62dcae31c0c

SHA1
d4f5dc941ffa15b07e73097d6dccd87ddfef2e22

SHA256
ce532ed99a85758250b49e3b422654068ac384b8c4951b8f2df97402e191a617

SHA512
ac3a445d8970b691fc9756a89ee590e6449dcd53334bf47c4fc4eb4f0445e767d0271e4cad43a4a286eb320709b63f381d4cd2c938ed5de8786fc0379478b4c5

Download Submit