82453a7ede3c73cb0e5724a2a919c50842be6d1076a28aacad4739f738a09a0b

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39efd232bcf49a38db557af3118163b1_JaffaCakes118.exe
Size

2.7MB
MD5

39efd232bcf49a38db557af3118163b1
SHA1

e45e9029788c939208e2a8dc5f3ba1aa1845289d
SHA256

82453a7ede3c73cb0e5724a2a919c50842be6d1076a28aacad4739f738a09a0b
SHA512

6e0933fbaa51537aaee47aa30ad36c034da6f3342a5a5fef5ab53198ad857c35dba0ec0d5f693a45fddbef3ae7abff8006ed2f17fdb1d55baced45f128bd895d
SSDEEP

49152:eE/iMAZs7s3cRS0w26cHMaMrg1fT0KyKcnvzWDR6FIsEqUvY:rRrs3ISL26cH6rq7TcnqDUFI7qUY

Score

7^/10

defense_evasion privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	39efd232bcf49a38db557af3118163b1_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4912	1913520113.bin

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4660	39efd232bcf49a38db557af3118163b1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4660	5020	39efd232bcf49a38db557af3118163b1_JaffaCakes118.exe	85
PID 5020 wrote to memory of 4660	5020	39efd232bcf49a38db557af3118163b1_JaffaCakes118.exe	85
PID 5020 wrote to memory of 4660	5020	39efd232bcf49a38db557af3118163b1_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\39efd232bcf49a38db557af3118163b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39efd232bcf49a38db557af3118163b1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\39efd232bcf49a38db557af3118163b1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\39efd232bcf49a38db557af3118163b1_JaffaCakes118.exe" "runas"
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:4660
- - C:\Users\Admin\AppData\Local\Temp\1913520113.bin
    "C:\Users\Admin\AppData\Local\Temp\1913520113.bin"
    3⤵
    - Executes dropped EXE
    PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1913520113.bin

Filesize
2.2MB

MD5
f015ded62dbbbcda0b55d89a4a660fa8

SHA1
746985af9e0e5142f0bb362a500310388e08a151

SHA256
8e31f76747eb338b094a1bb19eeff8037f551bd72bc646df028a3f0076ea435d

SHA512
b41f964840a940480c4162c93e4f5727dd750b1c73069d9942f187d130d8a63ec99950dd1df190005993bf7a0efd9b7b262d31bea824df7f480d79963d05e629

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads