e2e5b85381499121ec7e54b810c4415e7d0d4f2f9f1ebcd95c0a8c17db129cce

Analysis

max time kernel
93s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37da1190c300cdb5315dffac45b541dd_JaffaCakes118.exe
Size

2.0MB
MD5

37da1190c300cdb5315dffac45b541dd
SHA1

140ef5a36a7b24ff21800aad7cc28924546ab596
SHA256

e2e5b85381499121ec7e54b810c4415e7d0d4f2f9f1ebcd95c0a8c17db129cce
SHA512

99a8a3aa57df9900314ea732f8bcd597301855c4ad7fd54e0641ebb6cb67b168b5a693cdc6ff54cb7e2fa4fe01e3a69f7e084c0a0a925c78561bf98895144a2f
SSDEEP

49152:D7qDNHm6jMzzCQyKFR3fUZGuZZLhSbaHX4td:DuMXrFRNuZZYi4td

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	37da1190c300cdb5315dffac45b541dd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	al6it1516l5754g.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	filesystemscan.exe

Executes dropped EXE 3 IoCs

pid	Process
1544	al6it1516l5754g.exe
1880	filesystemscan.exe
4064	Protector-qrq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1880	filesystemscan.exe
4064	Protector-qrq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 1544	380	37da1190c300cdb5315dffac45b541dd_JaffaCakes118.exe	86
PID 380 wrote to memory of 1544	380	37da1190c300cdb5315dffac45b541dd_JaffaCakes118.exe	86
PID 380 wrote to memory of 1544	380	37da1190c300cdb5315dffac45b541dd_JaffaCakes118.exe	86
PID 1544 wrote to memory of 1880	1544	al6it1516l5754g.exe	87
PID 1544 wrote to memory of 1880	1544	al6it1516l5754g.exe	87
PID 1544 wrote to memory of 1880	1544	al6it1516l5754g.exe	87
PID 1880 wrote to memory of 4064	1880	filesystemscan.exe	88
PID 1880 wrote to memory of 4064	1880	filesystemscan.exe	88
PID 1880 wrote to memory of 4064	1880	filesystemscan.exe	88
PID 1880 wrote to memory of 892	1880	filesystemscan.exe	89
PID 1880 wrote to memory of 892	1880	filesystemscan.exe	89
PID 1880 wrote to memory of 892	1880	filesystemscan.exe	89

C:\Users\Admin\AppData\Local\Temp\37da1190c300cdb5315dffac45b541dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37da1190c300cdb5315dffac45b541dd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\al6it1516l5754g.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\al6it1516l5754g.exe" -e -p3bl9cj1777w86yj
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\filesystemscan.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\filesystemscan.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Users\Admin\AppData\Roaming\Protector-qrq.exe
      C:\Users\Admin\AppData\Roaming\Protector-qrq.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4064
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\FILESY~1.EXE" >> NUL
      4⤵
      PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\al6it1516l5754g.exe

Filesize
2.0MB

MD5
260acc7f06f599cdb8773f0ed393be73

SHA1
23ccb944535ee07739df656075d6e6790beb6544

SHA256
883dd3b1193b371b2ea2751518f0f92943f6ea5bdeb7827d9a8370489e6affda

SHA512
5122a4601e9078d2240fe5059d3ed3c2b3ee389c977a894142252cda6b6a5c2c9dc0a0ce23ebf6495471090c6448b42cfb4a1406edde84dea7358bb541d90e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\filesystemscan.exe

Filesize
1.9MB

MD5
f210c7f3b53f53065a358a300abb7049

SHA1
d13adb9cd5a02eb08d8e4c9cce81f6261f1b0294

SHA256
a259dc8532b93dca95229d8895ede998f1c3f639b726aa322aa17392f51319f1

SHA512
b0b9e0f81b94810f6957c900020504c1089286f0641fcc9d4f3bf385dbe86f7934dfa30e9deb36969dccc002a8ad8ed4b2523713888ccd930dd1e4bc10c8f5a6

Download Submit
memory/1880-21-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/1880-27-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/4064-29-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download