8de5b0193c36351229897e4e1818b6a0082af359d05a6ecd60242f1420c0eede

Analysis

max time kernel
95s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe
Size

80KB
MD5

35c4d9423dbd514ac62b31c7e70e0c3f
SHA1

f5163a43b85467dd9f5aaf6b660083091e24d7d6
SHA256

8de5b0193c36351229897e4e1818b6a0082af359d05a6ecd60242f1420c0eede
SHA512

52997c0bcde0bcb5da7143dd6a3bc48a95461236ed2da05f410ebf64ab1731ee46897a6ec4006608ac05e4f1d362bd338c45526f6345010aa60969e9616da786
SSDEEP

1536:5q43FkDrV3ny9yaXkkd/N5Qsk8vO19sQKY:5Ao1LQsVS

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1040	Sjv835O1.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4888-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4888-1-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4888-4-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x000c00000002343c-9.dat	upx
behavioral2/memory/1040-14-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1040-16-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sjv835O1.exe	35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sjv835O1.exe	35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sjv835O1.exe	Sjv835O1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4888	35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1040	Sjv835O1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 1040	4888	35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe	88
PID 4888 wrote to memory of 1040	4888	35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe	88
PID 4888 wrote to memory of 1040	4888	35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe	88
PID 4888 wrote to memory of 5116	4888	35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe	89
PID 4888 wrote to memory of 5116	4888	35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe	89
PID 4888 wrote to memory of 5116	4888	35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe	89
PID 1040 wrote to memory of 4320	1040	Sjv835O1.exe	90
PID 1040 wrote to memory of 4320	1040	Sjv835O1.exe	90
PID 1040 wrote to memory of 4320	1040	Sjv835O1.exe	90

C:\Users\Admin\AppData\Local\Temp\35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35c4d9423dbd514ac62b31c7e70e0c3f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\Sjv835O1.exe
  "C:\Windows\system32\Sjv835O1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\Sjv835O1.exe > nul
    3⤵
    PID:4320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35C4D9~1.EXE > nul
  2⤵
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sjv835O1.exe

Filesize
80KB

MD5
35c4d9423dbd514ac62b31c7e70e0c3f

SHA1
f5163a43b85467dd9f5aaf6b660083091e24d7d6

SHA256
8de5b0193c36351229897e4e1818b6a0082af359d05a6ecd60242f1420c0eede

SHA512
52997c0bcde0bcb5da7143dd6a3bc48a95461236ed2da05f410ebf64ab1731ee46897a6ec4006608ac05e4f1d362bd338c45526f6345010aa60969e9616da786

Download Submit
memory/1040-14-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1040-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4888-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4888-1-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4888-4-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download