172837de9749710f5731aee2a074ff8a226941a5d8045bc5ba0da6b0029641e9

Analysis

max time kernel
94s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe
Size

170KB
MD5

3215ae07e2707593e0a6dbbffb9ea8bd
SHA1

284cb68fbbc7581da5374be786fc46984d277a57
SHA256

172837de9749710f5731aee2a074ff8a226941a5d8045bc5ba0da6b0029641e9
SHA512

5f8e190f2b50a973dc63a12d74c11c8653749c9455be180c1123c582fbe45c364b3b999b125db1d7554387acfe497caeeec2574429fc43ef79e5b56d4446dcda
SSDEEP

3072:YvGzplq+FnqHDbl0Wdmg1+43M0KhJXZiD33N33pNpRRRRe/raZe/aq7Jm:YaG+Us0KH033N33vpRRRRwmZe/awA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1836	notes.exe

Loads dropped DLL 3 IoCs

pid	Process
1836	notes.exe
1836	notes.exe
4512	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\seapi.dll	notes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3192	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 3192	1440	3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe	84
PID 1440 wrote to memory of 3192	1440	3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe	84
PID 1440 wrote to memory of 3192	1440	3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe	84
PID 1440 wrote to memory of 1836	1440	3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe	85
PID 1440 wrote to memory of 1836	1440	3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe	85
PID 1440 wrote to memory of 1836	1440	3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe	85
PID 1836 wrote to memory of 4512	1836	notes.exe	86
PID 1836 wrote to memory of 4512	1836	notes.exe	86
PID 1836 wrote to memory of 4512	1836	notes.exe	86

C:\Users\Admin\AppData\Local\Temp\3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3215ae07e2707593e0a6dbbffb9ea8bd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\messages.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3192
- C:\Users\Admin\AppData\Local\Temp\notes.exe
  "C:\Users\Admin\AppData\Local\Temp\notes.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\\seapi.dll"
    3⤵
    - Loads dropped DLL
    PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\messages.txt

Filesize
7KB

MD5
221329c5d6a65a0e15bea46b863ac95d

SHA1
279010e995a2f3f91188d8b7b7d5bde7be0d0107

SHA256
8a2bb861c15307e60075ae22a73fdf648c66e70722bee962527cadbbe9ce4c5d

SHA512
f7de7b3cc8d0c55bc4692bff1577e766fa5600494c06829ef56f28a5d40d8d1dc1c29edcc47af7959b436b0b875c3f2dfcc4f96402d1678f2ecdc8c27899b042

Download Submit
C:\Users\Admin\AppData\Local\Temp\notes.exe

Filesize
100KB

MD5
ab045ac73440c9c2f8b04fffc8b9e11c

SHA1
ec3aa78d8c573d655aae2c1726b7f5131e046cf7

SHA256
e7f0ae8ec70601795c029d1d09111dfe041f3fc890156e189b2ef785791208e5

SHA512
845ccd2ee1e26cc18b5cc3d0dec8bf2d8754c5340321fd4f94453e7e8e250af20c103ed564b1c8e92f75d65de08dd47625de0b226ab8217b786531a32e84253b

Download Submit
C:\Windows\SysWOW64\seapi.dll

Filesize
60KB

MD5
318ab6c59f9ac505a038cd6ce2e2cea9

SHA1
2a931e7ece9ac7625dafd013b585ac1ec3b3c6c2

SHA256
c1e5b63357b9a3d889e978db637b46bfb4a7348e88667ef67d1f143066aa278b

SHA512
a7f2d96dfd5b3f9fe1bbe4a6ae0cf509c47f9423d32fa1f8a82bfca06458b7c77f37adc910d8ee3c8f7303ce2f5fa2f90b3807bcf881ad30279b0b7dff87dd68

Download Submit
memory/1440-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1440-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download