26d0e8ccceb0358465d5cc0cfa0f351e464a17aaa3137a3d333b4f8600e247f3

Analysis

max time kernel
95s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe
Size

370KB
MD5

3363b213b3cd64573f1ca3d6912b8162
SHA1

bce4e19f54527a4d74bcc7adcffd541e48703935
SHA256

26d0e8ccceb0358465d5cc0cfa0f351e464a17aaa3137a3d333b4f8600e247f3
SHA512

d2498e6719bf934a2f6d7668bee67cbae66515877d35ff1c75da2cb639edb2ff79f0105e89e7db8ce3518edb43e6ca606da1c1440fbb843b7c88369c34dbf3b1
SSDEEP

6144:b1dlZro5yhwHn4ZCJN0tXkZ1giG6FzTDYIXxu8nMRbSkqUmK54lcDHt1Pmj:b1dlZo5yOn0CJmCiWX8vbD54lkHLPmj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2200	2.exe
1896	2.exe
3732	facbook.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 1896	2200	2.exe	85
PID 2200 set thread context of 0	2200	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1896	2.exe
1896	2.exe
1896	2.exe
1896	2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2200	2.exe
3732	facbook.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 2200	676	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	84
PID 676 wrote to memory of 2200	676	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	84
PID 676 wrote to memory of 2200	676	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	84
PID 2200 wrote to memory of 1896	2200	2.exe	85
PID 2200 wrote to memory of 1896	2200	2.exe	85
PID 2200 wrote to memory of 1896	2200	2.exe	85
PID 2200 wrote to memory of 1896	2200	2.exe	85
PID 2200 wrote to memory of 1896	2200	2.exe	85
PID 2200 wrote to memory of 1896	2200	2.exe	85
PID 2200 wrote to memory of 1896	2200	2.exe	85
PID 2200 wrote to memory of 0	2200	2.exe
PID 2200 wrote to memory of 0	2200	2.exe
PID 2200 wrote to memory of 0	2200	2.exe
PID 2200 wrote to memory of 0	2200	2.exe
PID 676 wrote to memory of 3732	676	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	86
PID 676 wrote to memory of 3732	676	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	86
PID 676 wrote to memory of 3732	676	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	86
PID 1896 wrote to memory of 3520	1896	2.exe	56
PID 1896 wrote to memory of 3520	1896	2.exe	56
PID 1896 wrote to memory of 3520	1896	2.exe	56
PID 1896 wrote to memory of 3520	1896	2.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Extracted\2.exe
    "C:\Extracted\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Extracted\2.exe
      "C:\Extracted\2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1896
- - C:\Extracted\facbook.exe
    "C:\Extracted\facbook.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\2.exe

Filesize
254KB

MD5
2ba8112bdf9631c94a732d68f56e19a7

SHA1
10352286042525e5e9ef17acb1877a786d24072c

SHA256
6d68266f1e01e2cd8bfb9829a189a021bb1be04209736679f8a9dc888b8491ea

SHA512
ed907c3350c556cf8da2f2edf68cd74d34ad6f9c9845c71823d4129d37ad047a6524f09ff332675c7d01f1b8cac98985c2c7e10a4fc4f273d7233394cb813584

Download Submit
C:\Extracted\facbook.exe

Filesize
140KB

MD5
a1522ee24466eba458e487f6734133df

SHA1
94aa3c27b3f84d2c26ce63a28887eff30790aafa

SHA256
bd6cb6dc90c2d9b414caba8500cdea3185b26849a6b65bdf5b17bd7449dac0ec

SHA512
0705257bdc3224a01bdeaedcb149636d887d845ba6338488935d5841a8cdd0364082779739962359648401c5c767fae09639914a580d54ba526284ed8b60b563

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
207B

MD5
b204503b9198579f5b7546639c08215a

SHA1
ad2fe1bf742ae53ddb4167ebfd90aedf520878b4

SHA256
96511a3c040ee34a3068000f06fdf8f7481cde83c3538aabceb25a76b602266e

SHA512
7bf27f3e8c54724d80eb94bffa74dcaf06dcd7e185e408687532c670f34892521f9a0c35fe9258e4e0798ad75482448044420c285b3e7dfd904f4a382d57e6f4

Download Submit
memory/1896-73-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1896-72-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1896-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2200-48-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-67-0x0000000000401000-0x0000000000429000-memory.dmp

Filesize
160KB

Download
memory/2200-62-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-61-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-60-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-59-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-58-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-57-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-56-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-55-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2200-54-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-53-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-52-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-51-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-50-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-49-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-64-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2200-47-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-46-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-45-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-44-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-63-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2200-42-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-41-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-39-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-38-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-37-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-36-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-35-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-34-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-33-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-31-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-30-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-32-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-29-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-65-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2200-43-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-40-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2200-75-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2200-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3520-88-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download