4d46e581b79b26dada9734336c957bd6e6ad3e216db81b3d513beb8589294e7d

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe
Size

794KB
MD5

36e75bcdd349e9aac5f525644a31f1d3
SHA1

b8f360578b1efe23437f38b46734b354eb2d11d6
SHA256

4d46e581b79b26dada9734336c957bd6e6ad3e216db81b3d513beb8589294e7d
SHA512

a325dc4e399d3b24522a0a2750e763d846c5a4260b45e93921a9912a0964276e9c779a5388356fed5201c4db8dc91ad09a1312419370d323d47b342019c5ded9
SSDEEP

12288:cGehnWS1CJ0bhX0iItc6c/9Z23iLH22qQ3QZlg0:cxEGC4ps8FZ23ucQ3QE0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3496	CRYPTED.EXE
3160	Y!BEEP.EXE
3608	CRYPTED.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CRYPTED.EXE	36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Y!BEEP.EXE	36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CRYPTED.exe	CRYPTED.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3496 set thread context of 3608	3496	CRYPTED.EXE	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3832	3608	WerFault.exe	86

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3496	CRYPTED.EXE
3160	Y!BEEP.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 3496	2476	36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe	84
PID 2476 wrote to memory of 3496	2476	36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe	84
PID 2476 wrote to memory of 3496	2476	36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe	84
PID 2476 wrote to memory of 3160	2476	36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe	85
PID 2476 wrote to memory of 3160	2476	36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe	85
PID 2476 wrote to memory of 3160	2476	36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe	85
PID 3496 wrote to memory of 3608	3496	CRYPTED.EXE	86
PID 3496 wrote to memory of 3608	3496	CRYPTED.EXE	86
PID 3496 wrote to memory of 3608	3496	CRYPTED.EXE	86
PID 3496 wrote to memory of 3608	3496	CRYPTED.EXE	86
PID 3496 wrote to memory of 3608	3496	CRYPTED.EXE	86
PID 3496 wrote to memory of 3608	3496	CRYPTED.EXE	86
PID 3496 wrote to memory of 3608	3496	CRYPTED.EXE	86
PID 3496 wrote to memory of 3608	3496	CRYPTED.EXE	86
PID 3496 wrote to memory of 3608	3496	CRYPTED.EXE	86
PID 3496 wrote to memory of 3608	3496	CRYPTED.EXE	86

C:\Users\Admin\AppData\Local\Temp\36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\CRYPTED.EXE
  "C:\Windows\system32\CRYPTED.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\CRYPTED.exe
    3⤵
    - Executes dropped EXE
    PID:3608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 228
      4⤵
      Program crash
      PID:3832
- C:\Windows\SysWOW64\Y!BEEP.EXE
  "C:\Windows\system32\Y!BEEP.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 3608
1⤵
PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CRYPTED.EXE

Filesize
155KB

MD5
849e5da7bbe21eae56d87e387c7541e9

SHA1
ae8fab54d2fc19a7716465cbfc90806a26e66e8e

SHA256
598ee7b1d6d4ffaba6ef3df8d9c47b812667fcdb47feb5a0e877d68ff2109d84

SHA512
7625c35a24e6d3bfde3f6ab04136feccc6adc241e4254e47ff6bbf63a46d03e100a8868d2c3b8b562e8e5b958bcf88846eefe95b484a4d14eab9c3126422876d

Download Submit
C:\Windows\SysWOW64\Y!BEEP.EXE

Filesize
280KB

MD5
7b90ce2a72663280e6f25dd5b3ac0462

SHA1
f05f170d68f248ee0add768dd6b93d03b20892cd

SHA256
9de6f625705a523609ac020ff9848805065d81eda5445f9880e60dd4126bfc44

SHA512
b7aba0a1072c800206f7d5a769cdd28f893f63be1f67815b2fc13a5aaa459e9a48828004d7c4470bb000cda2185c8466911dda1d55066d27193f99baab7f13b9

Download Submit
memory/2476-0-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2476-23-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3608-34-0x0000000000400000-0x000000000040E76C-memory.dmp

Filesize
57KB

Download
memory/3608-33-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3608-31-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3608-32-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3608-28-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download