6c92b4b25313a1c11acb09a1426a5fbe448c5486cffd46407206a9fe5fcca663

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe
Size

10KB
MD5

43b503f5d17c96eb74619d92f352a7a1
SHA1

0733faab433ee1e49ad0b9fc84c96a9682f21bdf
SHA256

6c92b4b25313a1c11acb09a1426a5fbe448c5486cffd46407206a9fe5fcca663
SHA512

cc88fa74c2d2a4d8ab97dbc6ec5bbe912bb0f762d7039ecb35b829a624cacb954f4dc16bccf0653a0c3477ac857c8d2358cacd54fc33f117978e72d849f29cf0
SSDEEP

192:QpQCaIpJfFFUNsosgrHCE4HyD5tJTWCw34TVxpZ+e8kwvRap:Qpva4fRGhD5tJ6Cw34TVxp18xRY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	fxmngr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	fxmngr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fxmngr.exe	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ts.ico	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ot.ico	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2680	fxmngr.exe
Token: SeIncBasePriorityPrivilege	4024	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 2680	4024	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe	85
PID 4024 wrote to memory of 2680	4024	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe	85
PID 4024 wrote to memory of 2680	4024	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe	85
PID 4024 wrote to memory of 4980	4024	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe	86
PID 4024 wrote to memory of 4980	4024	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe	86
PID 4024 wrote to memory of 4980	4024	43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe	86
PID 2680 wrote to memory of 1672	2680	fxmngr.exe	87
PID 2680 wrote to memory of 1672	2680	fxmngr.exe	87
PID 2680 wrote to memory of 1672	2680	fxmngr.exe	87

C:\Users\Admin\AppData\Local\Temp\43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43b503f5d17c96eb74619d92f352a7a1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\SysWOW64\fxmngr.exe
  C:\Windows\system32\fxmngr.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\fxmngr.exe > nul
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\43B503~1.EXE > nul
  2⤵
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Security Troubleshooting.url

Filesize
86B

MD5
780f8992827930cc8bb27c10e8d71ca8

SHA1
f0caae2a05eabeea489f8980fea3f16709c926ad

SHA256
6f3c2e9d034af7bb0a14e7647858aa24c2028be99f9461a82a086c48e6b605af

SHA512
a6ef6b54b3d119b85e829d6aaa55bf991426b8aacda98414845d84129928440df1ecd7d730b3513f982907b0891d66d28120e9fe57de6a123834c57a5c3ef247

Download Submit
C:\Users\Public\Desktop\Online Security Guide.url

Filesize
84B

MD5
6a8138a43f6d11ba3ec0187f9ded3d36

SHA1
9402cf375fea2ca1475ca3af60b5dbc8742264eb

SHA256
71df832ebef72ced2b5ad42cd02d13aa5467fc1ea774b425b84dcf74c61442b5

SHA512
7dac5051873dd90b96c6483470cf8e9b208e19c76a9bfcfae03340f8d1e7441893b928a331aa45a86bd2a88b0f2b931d1d88d8d6b123b77bb9b949953d4502c4

Download Submit
C:\Windows\SysWOW64\fxmngr.exe

Filesize
2KB

MD5
df6a4d76e2c08d44d3f612163bfc74ff

SHA1
c57e1c3efe59a9d039b468a90d901e582459c9a5

SHA256
429a19408e7238239b162596c03235610be92287ebd65665851a5658ec5e6eb5

SHA512
4ab643642c0df8bf670109950d1de553f5d805cfcd74d7242631b834d500359482ea786e7698d79f0ace5f56f51c9b2ebd294ba17668ee958be187fc21590e65

Download Submit