9e0eecfc5fefd5ecdc5cc205a1585fe30c5d9bac455c981d03b57c965e31fa9f

Analysis

max time kernel
148s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe
Size

45KB
MD5

30e881a3988e3f38f58698b2f9bb96c4
SHA1

380da287773281f36517ab501ae195fb0cb28587
SHA256

9e0eecfc5fefd5ecdc5cc205a1585fe30c5d9bac455c981d03b57c965e31fa9f
SHA512

d7b8631ea383de0f9be86ea17b13ba5c2331f7c7586c818ae42518a8124eeb39e20f7074d01eef7df289db787572efed6c5c4c638d45d51a26d6fe13dc7ecc77
SSDEEP

768:bclMNYiKC+qzfevpe4sQ72uKcopRaQP0xxXllllllllllllllllllllllllllll/:jR+MevpkCXx2vuyfC9dhheenh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JMicron.lnk	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe

Runs net.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1924	2732	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	84
PID 2732 wrote to memory of 1924	2732	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	84
PID 2732 wrote to memory of 1924	2732	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	84
PID 2732 wrote to memory of 2264	2732	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	87
PID 2732 wrote to memory of 2264	2732	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	87
PID 2732 wrote to memory of 2264	2732	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	87
PID 1924 wrote to memory of 1188	1924	cmd.exe	88
PID 1924 wrote to memory of 1188	1924	cmd.exe	88
PID 1924 wrote to memory of 1188	1924	cmd.exe	88
PID 1188 wrote to memory of 1688	1188	net.exe	89
PID 1188 wrote to memory of 1688	1188	net.exe	89
PID 1188 wrote to memory of 1688	1188	net.exe	89

C:\Users\Admin\AppData\Local\Temp\30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c NET STOP wscsvc && NET STOP sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\net.exe
    NET STOP wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP wscsvc
      4⤵
      PID:1688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ofvid.vbs"
  2⤵
  - Drops startup file
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6r6sl

Filesize
34KB

MD5
ee42f37edc1baf81dabaf9a8c33c4b80

SHA1
06737e3966892c6472e2a0e97ae7f2c284397326

SHA256
65d2bbd26f221b0035118dd2bebfbab7ec1430f5bed0cdfd40d663193f1d45df

SHA512
cbf551a14ddf02ee6139f06135e170a08149e0b51f1a2e07bf8fd30afd74a42f6db1e9e5bfd24c35a45391bd4d232e3a684da825bcb8025c609ff213d225ef39

Download Submit
C:\Users\Admin\AppData\Local\Temp\aallc.bat

Filesize
1KB

MD5
a851d4efeeb3bba0bc1475245a0ba270

SHA1
864a74fab0616bf478288d190d5332fcd5a5a3d6

SHA256
0e7d010f68fa9de713dabfcfb8596817c222ff4743fcf7e90c0b4b1669a32ec4

SHA512
17e3baef4c41700eb203e59ebb402b78f82e2f79540ed992fd26fb84a655b87ab30f99db75dfbe4c62213f145dc72cacc69635c2ead6ab5551a6908c2303a2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofvid.vbs

Filesize
1KB

MD5
5fa2315007154d5d2365c8b87eeb92f2

SHA1
88433a113dfce5c9b41afc17386d1e082f9e748d

SHA256
75cb0d108b53240e1b8b34cfd107e67a6606f372f424caafc2d3fc65a30fe184

SHA512
77a928af180f0c0279ccf36e75dfcc2df1077d3ffb560989bfac3e5bd414265279d9f762f7fa0a1b8f1d86efd3d1c1b7076d15cde99efe82fb2dba1c9048d325

Download Submit
memory/2732-1-0x0000000002190000-0x000000000219F000-memory.dmp

Filesize
60KB

Download
memory/2732-0-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download
memory/2732-2-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2732-199-0x0000000002190000-0x000000000219F000-memory.dmp

Filesize
60KB

Download
memory/2732-200-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download