c31650defbf54a8a58a71ecd7b630020eb02f5785de0eec8a269116b912c33ee

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 13:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30822ffa866982059225e21a381936ad_JaffaCakes118.exe
Size

15KB
MD5

30822ffa866982059225e21a381936ad
SHA1

c6830ef86180220b2fb8f0e1a3ba22e0b68aecdc
SHA256

c31650defbf54a8a58a71ecd7b630020eb02f5785de0eec8a269116b912c33ee
SHA512

7e3f8c0a9db9a0ec4746deb257ecf8748771d912ca48149810b5578a257329a48225a07397acf5fca14b6114f3f6c663f45badb00a139335ce9efc5c729e36c8
SSDEEP

384:CWwmWLVbv/9SwTvaNmGOuYc6bc1BntnwIO96TD1:kTFv/N1pc6bYNtwIO9mD1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	30822ffa866982059225e21a381936ad_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1048	3508	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 3308	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	84
PID 3508 wrote to memory of 3308	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	84
PID 3508 wrote to memory of 3308	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	84
PID 3508 wrote to memory of 5028	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	87
PID 3508 wrote to memory of 5028	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	87
PID 3508 wrote to memory of 5028	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	87
PID 3508 wrote to memory of 2332	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	89
PID 3508 wrote to memory of 2332	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	89
PID 3508 wrote to memory of 2332	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	89
PID 3508 wrote to memory of 1436	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	91
PID 3508 wrote to memory of 1436	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	91
PID 3508 wrote to memory of 1436	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	91
PID 3508 wrote to memory of 3320	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	93
PID 3508 wrote to memory of 3320	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	93
PID 3508 wrote to memory of 3320	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	93
PID 3508 wrote to memory of 2136	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	95
PID 3508 wrote to memory of 2136	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	95
PID 3508 wrote to memory of 2136	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	95
PID 3508 wrote to memory of 1044	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	97
PID 3508 wrote to memory of 1044	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	97
PID 3508 wrote to memory of 1044	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	97
PID 3508 wrote to memory of 4160	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	99
PID 3508 wrote to memory of 4160	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	99
PID 3508 wrote to memory of 4160	3508	30822ffa866982059225e21a381936ad_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\30822ffa866982059225e21a381936ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30822ffa866982059225e21a381936ad_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\packet.dll /e /p everyone:f
  2⤵
  PID:3308
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\pthreadVC.dll /e /p everyone:f
  2⤵
  PID:5028
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  PID:2332
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  PID:1436
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\npptools.dll /e /p everyone:f
  2⤵
  PID:3320
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\drivers\acpidisk.sys /e /p everyone:f
  2⤵
  PID:2136
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\windows\system32\wanpacket.dll /e /p everyone:f
  2⤵
  PID:1044
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" c:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
  2⤵
  PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1308
  2⤵
  - Program crash
  PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3508 -ip 3508
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3508-0-0x0000000013140000-0x0000000013150000-memory.dmp

Filesize
64KB

Download
memory/3508-1-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3508-2-0x0000000013140000-0x0000000013150000-memory.dmp

Filesize
64KB

Download