5bc9b551e31e5025cfaa9e2cb65f51387c6f8951355a70ea8ca0f712584b36a4

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 22:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe
Size

1.4MB
MD5

4385234b60bbc158535f0b5146cdf123
SHA1

da3bec4ea0206c21c71caa65beb537f44c87b057
SHA256

5bc9b551e31e5025cfaa9e2cb65f51387c6f8951355a70ea8ca0f712584b36a4
SHA512

5f141b8b9ab45ab02c3ede05d89b9e398bec8fdf6f800d333fe436662277be1fc3b7d619ddf9a340e05b258f869d6c4743443e4fe29a98cc1e0c4f81be5d419c
SSDEEP

24576:m/tTd/zSDIFj43F1DxX8yR0OS6kY+SpxtUPEsfAuMxnwzMUC80+L6AFuCT4T:YTdesFj4V1ia0DuDPU7jGJv+2uuCET

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	rundll321.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	rundll321.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2884	2880	WerFault.exe	90

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 3524	2760	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	86
PID 2760 wrote to memory of 3524	2760	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	86
PID 2760 wrote to memory of 3524	2760	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	86
PID 2760 wrote to memory of 1916	2760	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	88
PID 2760 wrote to memory of 1916	2760	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	88
PID 2760 wrote to memory of 1916	2760	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	88
PID 1916 wrote to memory of 2880	1916	cmd.exe	90
PID 1916 wrote to memory of 2880	1916	cmd.exe	90
PID 1916 wrote to memory of 2880	1916	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp\Š‰ÑÓÂÊ¿.exe.bat" "
  2⤵
  PID:3524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp\rundll321.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\Temp\rundll321.exe
    C:\Users\Admin\AppData\Local\Temp\Temp\rundll321.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 276
      4⤵
      Program crash
      PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2880 -ip 2880
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\rundll321.exe

Filesize
119KB

MD5
e39cbcadd6899d7c628fffeac7b0ef4d

SHA1
0e2cb27b8d9fbc47589b98311692df9dfb930751

SHA256
45f0d620fa2e8e9bdb20299b2061c36b25cfbfb2f50e5f29df8d0d7053ec5a4d

SHA512
1cd55479fd41bde26c072c45d0ee347ea4617253f202c251dc0b57071d3cf9a23de222b6294125953d673041c901a319c6052cec3b89e4f872086b7e66f6096b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\rundll321.exe.bat

Filesize
120B

MD5
903365f6eee63b9886be90998ed4c991

SHA1
d8b090ae821b62560b9011c85479873ac7e3d4f2

SHA256
20842c46014ba77dab4b0730dd8e55a2b01786330bcfd657c7c7069502fe5c95

SHA512
9d410588ce05e25c50d82385b8f7a17072d2cfad63b4a49fd96d0fe3455e46c7f4d2ce4b8eb29771a9c03de9bcaeef1cb5602f6371c70082aa1c18c7b5376c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\Š‰ÑÓÂÊ¿.exe.bat

Filesize
160B

MD5
07f6f3a823bcc3cb4dea86411c0c39c1

SHA1
0995ef60a0a8eb0dd2006cacee08de63b08b7dd2

SHA256
7fdf340d7ce1643782e41a154b2dde523f194450356017ec217c6cb5fc7b9de6

SHA512
53c05564479cef546a012ad844755eec3d7ebab2b233fc6d0aeb6503e0e2f027d2633829fd85ef47a4fb6259d1a87b6b5784331a3890946bc849427c6798e4cc

Download Submit
memory/2880-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download