cc6daba39fa9e34b712e570afb99effa25be8e0d4f8929b7824c039d689583b9

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 23:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

326bcd915baed363dd9ef26c23d1dd7a_JaffaCakes118.exe
Size

52KB
MD5

326bcd915baed363dd9ef26c23d1dd7a
SHA1

e8fa926967880d4d719a7423fc739c09d3daf667
SHA256

cc6daba39fa9e34b712e570afb99effa25be8e0d4f8929b7824c039d689583b9
SHA512

a01f9271a38de66c44e205c6f8467bc39353cad6788c11356233e083fdb32fcdabd5dbfb48765a3b8442005b99151d2ace27c611225bbe838f53438f109ef4a9
SSDEEP

384:OxgfE+5/smvg7PNd9UAxSSNWwnsoVvEU/79FkLT99uxfubqSwCtRaWhIZ2cI0eGQ:DEWZ8EOx4QMnvtRaWClF5R71YMSuOEKh

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\pcidump.txt	326bcd915baed363dd9ef26c23d1dd7a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.txt	326bcd915baed363dd9ef26c23d1dd7a_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	326bcd915baed363dd9ef26c23d1dd7a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 2776	4772	326bcd915baed363dd9ef26c23d1dd7a_JaffaCakes118.exe	80
PID 4772 wrote to memory of 2776	4772	326bcd915baed363dd9ef26c23d1dd7a_JaffaCakes118.exe	80
PID 4772 wrote to memory of 2776	4772	326bcd915baed363dd9ef26c23d1dd7a_JaffaCakes118.exe	80

C:\Users\Admin\AppData\Local\Temp\326bcd915baed363dd9ef26c23d1dd7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\326bcd915baed363dd9ef26c23d1dd7a_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsg.bat" "
  2⤵
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fsg.bat

Filesize
55B

MD5
3494943ded62289772eb4ffad9765057

SHA1
e307f4458c4c96df28e2960b8a12f5f098729d77

SHA256
6b4dd8956842f6cd4bb4ed52bd38ff63a81f1e1a0389927617437852cd109566

SHA512
eb601e4a520d8b1d305064cc77132a890f8b8000fafa32c14c1413e6b26f49605f7ee327b8233cb7294b83bd605ebf17f3d8eb06b28df103714802fde22fa9ab

Download Submit
C:\Windows\SysWOW64\drivers\pcidump.txt

Filesize
14KB

MD5
bc99a6285dd38d8ae884c10315ad9170

SHA1
ebcf1577fa362bca2dc38e874cb64bfccb2080a0

SHA256
92999e459e0ce69b62e1e8261e84bd90f5b6fb9bf1d96df4bd41b4768eb531d7

SHA512
6c58f6f2c911245841d64e12d6fc3fc6c5558f5c99e46409a3e7324af79b578ad374e73904bf6b80e0a0d95d18e3936e78e879348b714df6e09074183287dd82

Download Submit