d4a8311cdc485a13a898cc7612dbd642f7f861bb84355cb5112699f4344bc5fb

Analysis

max time kernel
142s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ec971fb5ddb216f1106e9d972f9f146_JaffaCakes118.exe
Size

3.1MB
MD5

2ec971fb5ddb216f1106e9d972f9f146
SHA1

6d50d14553f3478a64742704e09141fe6330e93a
SHA256

d4a8311cdc485a13a898cc7612dbd642f7f861bb84355cb5112699f4344bc5fb
SHA512

48530503035b7e17024be9c8c193081219bea812bf27855a7553f9877f65677d7b51a0aad1dea44d342214918d918a246d7f326dc26a20890ffe57fcac4698fe
SSDEEP

49152:5JC0Pp+d1GUMXHgJqqgMvo214v6t5u0abj6UKXOTxM5WSlr+zgLoC25YGPWU:+0EFMQkqD1vu0Oj6UK+sVssLqlL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	2ec971fb5ddb216f1106e9d972f9f146_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4304	CloudEx.exe
4956	CloudEx.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 4304	1768	2ec971fb5ddb216f1106e9d972f9f146_JaffaCakes118.exe	92
PID 1768 wrote to memory of 4304	1768	2ec971fb5ddb216f1106e9d972f9f146_JaffaCakes118.exe	92
PID 1768 wrote to memory of 4304	1768	2ec971fb5ddb216f1106e9d972f9f146_JaffaCakes118.exe	92
PID 4304 wrote to memory of 4956	4304	CloudEx.exe	93
PID 4304 wrote to memory of 4956	4304	CloudEx.exe	93
PID 4304 wrote to memory of 4956	4304	CloudEx.exe	93

C:\Users\Admin\AppData\Local\Temp\2ec971fb5ddb216f1106e9d972f9f146_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ec971fb5ddb216f1106e9d972f9f146_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\CloudEx.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CloudEx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\is-3UEJP.tmp\CloudEx.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-3UEJP.tmp\CloudEx.tmp" /SL5="$802DC,2879210,53248,C:\Users\Admin\AppData\Local\Temp\RarSFX0\CloudEx.exe"
    3⤵
    - Executes dropped EXE
    PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4204,i,7252135083366563450,1411796122645726339,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
1⤵
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CloudEx.exe

Filesize
3.0MB

MD5
1e922f3db61b16c399a83439e42ba5fe

SHA1
29da733ef38483300d10c109fcc05374cd03c368

SHA256
89c6179336228807aaa5542fc9eeda1deb868036467e2290b6a4452a1f1e5b35

SHA512
7bc864c4cf9da8e072e933d066325e1b911183ec9a25f94f8f8e8cb4ba1922d96544347cf78c413967f395ae62ab356151c1e9475f656059945c08e8e98ee99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3UEJP.tmp\CloudEx.tmp

Filesize
671KB

MD5
acec08a952e0b9a24afe1f95bb335e11

SHA1
edd75d5928d96c0eddae2fc88bc52787357acc46

SHA256
52976fc5d14c217b0b50f4c95e81cd82494430035d15bbcd586303f6b5f63b44

SHA512
93b3a2964857e0cb3ef4425a33279b16f7a914d1ce585406141f81680ce9a469f41c4199cfc3acaf0246a4d978dcbf22bfa68978217054c9b04b93b8280716a7

Download Submit
memory/1768-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4304-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4304-14-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4304-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4956-24-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4956-27-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download