6bec258e312d8ba0fc41232beb984d1cdf4f12cf75b621bc5802ea8b1827573a

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 06:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe
Size

30KB
MD5

3c4bcaa926c744b2dc4092f169dc4fff
SHA1

10a9085984bb1bbc0afb3344409b7e8f33adbbf0
SHA256

6bec258e312d8ba0fc41232beb984d1cdf4f12cf75b621bc5802ea8b1827573a
SHA512

a3178ff5f78aa9f4e30923e5679e9a82c0fbbc52571775cb2a0f5c953c8e64d4716b9493beba938ba2f01c44cbdc2b25e57247ea5a0c540b437b204a91879734
SSDEEP

384:7GOFevQdOAOgIYKn6VQ1s7I7LhBPa8tbQf5umaIDZju6IIJ7firU+7TG:7GOiTNnaE7Vg8MkIQ63ur8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	pun_01.exe
4732	pun_01.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pun_01.exe	3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4332	4732	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4804	3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe
4804	3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4804	3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4804	3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2964	4804	3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe	85
PID 4804 wrote to memory of 2964	4804	3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe	85
PID 4804 wrote to memory of 2964	4804	3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe	85
PID 2964 wrote to memory of 4732	2964	pun_01.exe	86
PID 2964 wrote to memory of 4732	2964	pun_01.exe	86
PID 2964 wrote to memory of 4732	2964	pun_01.exe	86

C:\Users\Admin\AppData\Local\Temp\3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c4bcaa926c744b2dc4092f169dc4fff_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\pun_01.exe
  "C:\Windows\system32\pun_01.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\pun_01.exe
    StubPath
    3⤵
    - Executes dropped EXE
    PID:4732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 492
      4⤵
      Program crash
      PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4732 -ip 4732
1⤵
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\pun_01.exe

Filesize
7KB

MD5
4b148a1d8e8073d0cde708d9d4c78d7b

SHA1
7b9f876ee0dd9c351050eccc195e5ea0d6ad08ef

SHA256
4ef8c45c150adc4c75217bbcfc3d5ce04fa319181c3d265afcca311c050636bb

SHA512
e51cb5b56e5b1b1af5647df7714023ee2f5859163a8aa56402fffc424d1cd32268666c9b5956c06f94c63efd85ea177e0eb36e84167ff916e7454bc987d10f28

Download Submit
memory/2964-10-0x0000000000400000-0x0000000000401E00-memory.dmp

Filesize
7KB

Download
memory/4804-8-0x0000000000400000-0x000000000040D7AC-memory.dmp

Filesize
53KB

Download