01db040f498ed0b4b3df6337f1dd5ff472876bd70a72f96543966302ee97bfb8

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe
Size

174KB
MD5

420973540d2d7fbde1d20890815eb81b
SHA1

b39b10aa5800dd4ecb3f33855e48a38c8c5f0b93
SHA256

01db040f498ed0b4b3df6337f1dd5ff472876bd70a72f96543966302ee97bfb8
SHA512

7c6a5ba161ef4b3df885baed7cfd89fe39c9cd7be64f09241864603970b68983f314b25ebc06db78e6d0e6d62fd2ff85f43deabda952334c19d19a9a6bf80af0
SSDEEP

3072:scDV6Az1lWgFvYGnJd6KpZV3uTN9WU/G9B32w590Kqm/32nzNvI+x/tW:NQAKgFvYGJd6KpZV3uTN9WU/G9BGw59d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3428	CryptedFile.exe
2156	CryptedFile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2328	2156	WerFault.exe	87

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 3428	4708	420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe	86
PID 4708 wrote to memory of 3428	4708	420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe	86
PID 4708 wrote to memory of 3428	4708	420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe	86
PID 3428 wrote to memory of 2156	3428	CryptedFile.exe	87
PID 3428 wrote to memory of 2156	3428	CryptedFile.exe	87
PID 3428 wrote to memory of 2156	3428	CryptedFile.exe	87

C:\Users\Admin\AppData\Local\Temp\420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe
    StubPath
    3⤵
    - Executes dropped EXE
    PID:2156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 456
      4⤵
      Program crash
      PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2156 -ip 2156
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe

Filesize
10KB

MD5
c74e581603935190248b357711862d72

SHA1
68e52d3c68c2903b6391646e230948d14d012471

SHA256
d75800dad7f80def296ea8416c8a8902c38ab61472c5a9ccdfd9eed85448c4dc

SHA512
fc882c1392341cab3146e94eba92438799a6b604590fe0f2f9db84e7662ecec0e5bc4c6375d8ae6cbceff5257c3f9f74244f131f8dfa31d71871c7202798d519

Download Submit
memory/2156-22-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2156-21-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3428-20-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3428-15-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4708-3-0x000000001B730000-0x000000001BBFE000-memory.dmp

Filesize
4.8MB

Download
memory/4708-6-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/4708-7-0x000000001BE00000-0x000000001BE4C000-memory.dmp

Filesize
304KB

Download
memory/4708-5-0x00007FFB4A0E0000-0x00007FFB4AA81000-memory.dmp

Filesize
9.6MB

Download
memory/4708-4-0x000000001BCA0000-0x000000001BD3C000-memory.dmp

Filesize
624KB

Download
memory/4708-19-0x00007FFB4A0E0000-0x00007FFB4AA81000-memory.dmp

Filesize
9.6MB

Download
memory/4708-0-0x00007FFB4A395000-0x00007FFB4A396000-memory.dmp

Filesize
4KB

Download
memory/4708-2-0x00007FFB4A0E0000-0x00007FFB4AA81000-memory.dmp

Filesize
9.6MB

Download
memory/4708-1-0x000000001B1B0000-0x000000001B256000-memory.dmp

Filesize
664KB

Download