f5155de2d00e8682131508e06b26f576585e26f96709b1f890a2047aea98d7d1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.exe
Size

1.6MB
MD5

490aa4b1563226fa40a70a81ec39a68c
SHA1

9754545588133e08d6500687a2b24529089a565b
SHA256

f5155de2d00e8682131508e06b26f576585e26f96709b1f890a2047aea98d7d1
SHA512

33d5c088863a4df13233095998a979a7207c05cc26c5a34ca5727b5d8d02fdc0a628c0b14d5fee50d5ac4ea476eb33c415797d42c8d3e7ecc275c1acd3a8f1fe
SSDEEP

24576:5naIPbJy0/93dd14DVG5b2osNNA+IumOmM6pauGeV3XPtDmkS3rJQBtUkBgJ:5a+c0RdrkVwbbSzxmMdeVPF2inXBgJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp

Executes dropped EXE 2 IoCs

pid	Process
4104	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp
116	rkverify.exe

Loads dropped DLL 4 IoCs

pid	Process
4104	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp
116	rkverify.exe
4104	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp
4104	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe
116	rkverify.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 4104	1256	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.exe	84
PID 1256 wrote to memory of 4104	1256	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.exe	84
PID 1256 wrote to memory of 4104	1256	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.exe	84
PID 4104 wrote to memory of 116	4104	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp	87
PID 4104 wrote to memory of 116	4104	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp	87
PID 4104 wrote to memory of 116	4104	490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp	87

C:\Users\Admin\AppData\Local\Temp\490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\is-RQ2GJ.tmp\490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RQ2GJ.tmp\490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp" /SL5="$701BE,1142007,54272,C:\Users\Admin\AppData\Local\Temp\490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\is-7L2RJ.tmp\rkverify.exe
    "C:\Users\Admin\AppData\Local\Temp\is-7L2RJ.tmp\rkverify.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CSMB769.tmp

Filesize
160KB

MD5
5ac09190daf249c3e93c3ac961067024

SHA1
bad9c0d552d54310f669d66b549dcada90583812

SHA256
f4934185f75518a13ef5425959f47516cc8467f513e838a82e749ffb782d7e23

SHA512
2a87686c038e8a34f8e04a844726de564a08baeedc87632219b86f455d5222efe2ed7557fad9658627e304d916a75cfcb3c9dede4e72057a070f64370aa52f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7L2RJ.tmp\Games.inf

Filesize
1KB

MD5
40f2947ab8f9576070d5f476de4c949f

SHA1
6b3387cda1916293deeed0addd632831b758429a

SHA256
483c7ab220edacafb69e7e9fc5f651741ca1a356dee0a005b2917584e31d5055

SHA512
13ae652b569d36a2b6233f3e086ab4e229d5468e300600349da7bbd96d023fc757fcb2e8d3157d488a4e179d37876d7b8c5bdf3a3f1fdb93a73cd6aeba2ba33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7L2RJ.tmp\isxdl.dll

Filesize
49KB

MD5
02ecc74f7f91e9ffd84de708683236a6

SHA1
3532de0b77df8b0fc89e9c7eddec3fa71f98f5a2

SHA256
30ad8a0e1cee091ca48c771adb2e76baf1a7d54b9f60dc47f54dfdc2d6f6691e

SHA512
a3fdaa651f82428395bc412a2a04fce673768d3ef088b3748addf337d95464eb141ae7c286bff5c705eae05dd7b38207629588ae7e89ada15269463cd7acf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7L2RJ.tmp\rkverify.exe

Filesize
268KB

MD5
020ce95075f8c93e6cc957953d7f4589

SHA1
e192a200e36974b8e0637230a8cb5905090f7555

SHA256
df9d068202c060a898cd441d5c170686cd9c2774a37cfda3ea10abc428e20ad3

SHA512
fb74170ed9b5ee078a176540c198513ed3a8c2e587fbcbf6d2384f840f0b6a2637fd20b6a01b2caf6e92e5f592d517b4733d34fdb349fd770eb04e1eac769170

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RQ2GJ.tmp\490aa4b1563226fa40a70a81ec39a68c_JaffaCakes118.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
memory/1256-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1256-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1256-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4104-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4104-64-0x00000000046E0000-0x0000000004708000-memory.dmp

Filesize
160KB

Download
memory/4104-68-0x0000000075A80000-0x0000000075C20000-memory.dmp

Filesize
1.6MB

Download
memory/4104-69-0x0000000076410000-0x0000000076434000-memory.dmp

Filesize
144KB

Download
memory/4104-70-0x0000000075C80000-0x0000000075D5C000-memory.dmp

Filesize
880KB

Download
memory/4104-67-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download