0b86ece8decbb753d0edb23fa2c4f4581039dc95d7180285bf995e93dbc6e139

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3af21f974f5b231740c10c13c0f40f4b_JaffaCakes118.exe
Size

158KB
MD5

3af21f974f5b231740c10c13c0f40f4b
SHA1

00c0455f434da9e15d1cd2436cb99f32c9379371
SHA256

0b86ece8decbb753d0edb23fa2c4f4581039dc95d7180285bf995e93dbc6e139
SHA512

ffbedb9da5164133d9e1286a398355f51e81752e6104bedb145210fd3a84293caeee38e626284ee204952b0c56bc58d2b197fb8df6052cf08429644c9564a72a
SSDEEP

3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rAHghQSbdy5OxNA4wUMN/:WTfFDbRnOTrAW0U+UMN/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	3af21f974f5b231740c10c13c0f40f4b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4804	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1484	4804	WerFault.exe	85

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4804	1776	3af21f974f5b231740c10c13c0f40f4b_JaffaCakes118.exe	85
PID 1776 wrote to memory of 4804	1776	3af21f974f5b231740c10c13c0f40f4b_JaffaCakes118.exe	85
PID 1776 wrote to memory of 4804	1776	3af21f974f5b231740c10c13c0f40f4b_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\3af21f974f5b231740c10c13c0f40f4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3af21f974f5b231740c10c13c0f40f4b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"
  2⤵
  - Executes dropped EXE
  PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 228
    3⤵
    - Program crash
    PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4804 -ip 4804
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
188KB

MD5
902b221e1b9a0bc27241a2e9406e7bc6

SHA1
1cda002ab366402e54e945f3716a1e65851bf0c6

SHA256
efbcfb1bf82a1272b0247c4657e8c252212387395606e1ed77e242582f725858

SHA512
c8ca6b427faef71172210e8e7c526145238822f5f54005ac8a5ca47c29483fa92dfcbfe68e75ad9dd2c76040d185237f3bff118a48805120c97e91cef2587c60

Download Submit
memory/1776-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download