1e05158668a8537df55bb75caedf595435ceb582584491970acb7b334977d053

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe
Size

48KB
MD5

34eb1ce08010fa937470b4e84959a7d3
SHA1

4f4993446c981e0701732fbe7ed4dcc13a5a70e4
SHA256

1e05158668a8537df55bb75caedf595435ceb582584491970acb7b334977d053
SHA512

df7122b597004bcac3f43cae7a7928310d82ad7b6f72c135a901a9b759f863780416aa551909861c1d1cc7868823d61328d7e3f13664986bd1e5353d9e864ef0
SSDEEP

768:Ixr+GXjJ+0tggudHCwMpIyh/am29ZMVNKT:CZjJ+0tgfdixpIyhym2n

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3244	opeDC37.exe
5080	opeDE3B.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234ec-14.dat	upx
behavioral2/memory/5080-20-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/5080-23-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4444	3244	WerFault.exe	84

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3244	1468	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	84
PID 1468 wrote to memory of 3244	1468	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	84
PID 1468 wrote to memory of 3244	1468	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	84
PID 1468 wrote to memory of 5080	1468	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	85
PID 1468 wrote to memory of 5080	1468	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	85
PID 1468 wrote to memory of 5080	1468	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\opeDC37.exe
  "C:\Users\Admin\AppData\Local\Temp\opeDC37.exe"
  2⤵
  - Executes dropped EXE
  PID:3244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 228
    3⤵
    - Program crash
    PID:4444
- C:\Users\Admin\AppData\Local\Temp\opeDE3B.exe
  "C:\Users\Admin\AppData\Local\Temp\opeDE3B.exe"
  2⤵
  - Executes dropped EXE
  PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3244 -ip 3244
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\opeDC37.exe

Filesize
23KB

MD5
7df2c9d287d9ba94273e88d44f51a67c

SHA1
3c530fa5b468700600c0688f2a36d4794e1509c1

SHA256
b411c05374553088ba0e679be80d226eb828e9c712c61ead398b6b61c4e1f17d

SHA512
95735aa6f829096e969e1feaf90c7bec63f77ad360297c4dc1b439b6282a911ad50077828a0d04546322ef48cf1658c5651f8600b296900db4ce37ef651cf92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\opeDE3B.exe

Filesize
9KB

MD5
d1cd032928c0821d383058dafe463040

SHA1
fa7700edc66980aa9c9aa2fc4b08a8eedc671f4f

SHA256
f004851ad5e9464f9cfbe57010e4b9650219edfd28431590f33e5e39d1f0a948

SHA512
299534734287dcb48714d7baebec769488ebd25aca73104c8b5391362865fd451b10f74e02918f95693032dfc0b40e332e9ec60b83cb94b7b2ff7cb0d5a8e838

Download Submit
memory/1468-0-0x0000000000400000-0x000000000040C200-memory.dmp

Filesize
48KB

Download
memory/3244-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3244-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5080-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5080-23-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download