23cfe3d50bd573a0040268f12df96c8fab6e3dfe820db43506db4c14d8bdb4a6

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe
Size

188KB
MD5

2c9f7208b74155db9f9d05376ba5e8f9
SHA1

bf2129483f05afe0cee4e2d85b6de7292162ee1e
SHA256

23cfe3d50bd573a0040268f12df96c8fab6e3dfe820db43506db4c14d8bdb4a6
SHA512

37dc18729531c668fdbd93f639ac4a5908672839992d9ab5ef080bfe29d2a3fd4810ae9a3a3b7920da78ff559477566b70688f393cebdde1a1f291194db7ca8f
SSDEEP

3072:c9WVqr4KRwc0L/sLAnG7pGTST7TZwDRqN5FGpL0y8SKczV3vn+UJ:+Gc0LULMScTGPZznGH8Mx3/f

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3052	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4364	NOTEPAD.EXE
4068	SOUNDMAN.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2908	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 4364	2908	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe	85
PID 2908 wrote to memory of 4364	2908	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe	85
PID 2908 wrote to memory of 4364	2908	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe	85
PID 2908 wrote to memory of 4068	2908	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe	86
PID 2908 wrote to memory of 4068	2908	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe	86
PID 2908 wrote to memory of 4068	2908	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe	86
PID 2908 wrote to memory of 3052	2908	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe	87
PID 2908 wrote to memory of 3052	2908	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe	87
PID 2908 wrote to memory of 3052	2908	2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE
  "C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE"
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Users\Admin\Desktop\SOUNDMAN.EXE
  "C:\Users\Admin\Desktop\SOUNDMAN.EXE"
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\wlod.vbs"
  2⤵
  - Deletes itself
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
C:\Users\Admin\AppData\Local\wlod.vbs

Filesize
241B

MD5
689071b599db2bd3c0f9fecda1ce5751

SHA1
04d3dc8a0f1d562f97c9bc9be67cd38135a01524

SHA256
13d4b5dff4095b83f6a95d81967199207551bf9b35813fee12f38056a41b0c01

SHA512
edc9985da2361ab1a2fb787af4dd6c2f26f8a77234cde74bc350ebe01ed8ea9a087b05afe6305c67affd6328f9510a7178c3961a50d6f62398d9329e5b62038b

Download Submit
C:\Users\Admin\Desktop\SOUNDMAN.EXE

Filesize
76KB

MD5
ff86e640e4e0fd18cfb4696b38867222

SHA1
7e41bbe59d9efcc8c762cd730d76501fcc85119f

SHA256
2fa270825f351d9543cb185dd8253132eb5f09cd8abe3063c6e82daf04006a18

SHA512
ec7059fd3abad7318c607e65e0b7184590910c44bd06a01982a031e684f564ffcf020dd2c9d1572527920e8fc8fc18f0aacf6edc2d5baa94f7160da0b12c32b1

Download Submit