8e2fab1fc3669129dc94c1696c9173f332a5dbc7f59de58ded9debdf03f503f7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 02:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe
Size

81KB
MD5

3b9fb125d9b90ce674f7602475dc426b
SHA1

f20e86fbe54e19606063b6e2c968322f6d0d771b
SHA256

8e2fab1fc3669129dc94c1696c9173f332a5dbc7f59de58ded9debdf03f503f7
SHA512

efb11a74796ba45753b4f8345d7fb37047cee1a9ddc039a052801a72a1924755e2475c675550f70fd9f90ecf454febdc8c1125163425cf0a68086af1408251f6
SSDEEP

1536:v2/zo96LxuFVvOeoTGawJJsvCpemN9fs20mRuYWBg:v2/E96FuFVWeopZqp3RluYWC

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
988	msiconf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec.exe = "msiconf.exe"	3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msiconf.exe	3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msiconf.exe	msiconf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	msiconf.exe
File opened for modification	C:\Windows\SysWOW64	3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 988	372	3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe	84
PID 372 wrote to memory of 988	372	3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe	84
PID 372 wrote to memory of 988	372	3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe	84
PID 372 wrote to memory of 3368	372	3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe	86
PID 372 wrote to memory of 3368	372	3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe	86
PID 372 wrote to memory of 3368	372	3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b9fb125d9b90ce674f7602475dc426b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\msiconf.exe
  C:\Windows\system32\msiconf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3B9FB1~1.EXE >> nul
  2⤵
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Thumbs.db

Filesize
14B

MD5
9b4d9c0c5152f54c439c2faf26effa6a

SHA1
5e4c3f20497aa15b0d0b7e33e8f304d00fd4e558

SHA256
b66dcf2be2312960155b4c1b5ca8573859d8bf0bc1ad4547ef47341bc43d141a

SHA512
544dba8204682cdeeebf861248153c12ca86ee353ec635a8d0d9f1d4941bb8e50dabd4adefb15de96fc1640c4ccd4aff08f72ba7209c7aee551bf7667e4c5717

Download Submit
C:\Windows\SysWOW64\msiconf.exe

Filesize
81KB

MD5
3b9fb125d9b90ce674f7602475dc426b

SHA1
f20e86fbe54e19606063b6e2c968322f6d0d771b

SHA256
8e2fab1fc3669129dc94c1696c9173f332a5dbc7f59de58ded9debdf03f503f7

SHA512
efb11a74796ba45753b4f8345d7fb37047cee1a9ddc039a052801a72a1924755e2475c675550f70fd9f90ecf454febdc8c1125163425cf0a68086af1408251f6

Download Submit
memory/372-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/988-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads