46234949af62291242805d2f33a6af522efce251cfc053465be677d29a2a19fd

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe
Size

1.8MB
MD5

495ed03e17c27fa4c20deb6bd435dc2c
SHA1

4ff6f239ed7adf13368e0ba8df0d44230837085a
SHA256

46234949af62291242805d2f33a6af522efce251cfc053465be677d29a2a19fd
SHA512

ccfc6a43c9a22f022ea95399cda607c26dccd4b5d031c18891a897fd94c502dd280c8083061a23a6474477a1085c995d8e6f978d25741016db5b06e39bd991cc
SSDEEP

24576:f1kXXvxyJp759Potg4rfYF1NLpw5aopS/IVyCRE/a8Gg9bnRvOmpC9L58jXWeSvH:f1I56947yLGgZR7M2GeSuc78LA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
216	ffffff.Exe
3516	suportfile.Exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 216	2284	495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe	86
PID 2284 wrote to memory of 216	2284	495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe	86
PID 2284 wrote to memory of 3516	2284	495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe	87
PID 2284 wrote to memory of 3516	2284	495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe	87
PID 3516 wrote to memory of 408	3516	suportfile.Exe	88
PID 3516 wrote to memory of 408	3516	suportfile.Exe	88
PID 216 wrote to memory of 592	216	ffffff.Exe	89
PID 216 wrote to memory of 592	216	ffffff.Exe	89

C:\Users\Admin\AppData\Local\Temp\495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\ffffff.Exe
  "C:\Users\Admin\AppData\Local\Temp\ffffff.Exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\ffffff.Exe
    C:\Users\Admin\AppData\Local\Temp\ffffff.Exe
    3⤵
    PID:592
- C:\Users\Admin\AppData\Local\Temp\suportfile.Exe
  "C:\Users\Admin\AppData\Local\Temp\suportfile.Exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\suportfile.Exe
    C:\Users\Admin\AppData\Local\Temp\suportfile.Exe
    3⤵
    PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffffff.Exe

Filesize
455KB

MD5
bf3c1f671f121628fc964cabf472a19b

SHA1
da4b2223eea9723cfe1b570eba33b650bc80d315

SHA256
b37cf7ec35578d632d7b7d733469f05efc8522422323da059ddf2d3c75e8145e

SHA512
cd16c6101deb99eac27ec78a2d350474029cd44fc5032704b1c71548a3104f48f840b75bf333ca4dc996872a5ded7e87ba031cc9838454459c755b37dabc5d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\suportfile.Exe

Filesize
455KB

MD5
b0b3e82bf01f657a40d05de4951bb51f

SHA1
b5dbb22a9bfc75cd3881a60d84f5d698fed01fcf

SHA256
127b73e86090068ecb213498da64f62860c13c8c28aefc5928778a88f1db0638

SHA512
9061f9f78250f076ccba54d9999165219709ab92d4e1c70ca302779f127fb7bebd3ff1c468c0f04be12092b84caf567f3eedf134bea24d9a7cd6596d2d1e3731

Download Submit
memory/216-35-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/216-32-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/216-43-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/216-34-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/2284-33-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/2284-5-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/2284-8-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/2284-2-0x000000001BE90000-0x000000001C35E000-memory.dmp

Filesize
4.8MB

Download
memory/2284-1-0x000000001B870000-0x000000001B916000-memory.dmp

Filesize
664KB

Download
memory/2284-3-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/2284-6-0x0000000001150000-0x0000000001158000-memory.dmp

Filesize
32KB

Download
memory/2284-7-0x000000001C620000-0x000000001C66C000-memory.dmp

Filesize
304KB

Download
memory/2284-4-0x000000001C400000-0x000000001C49C000-memory.dmp

Filesize
624KB

Download
memory/2284-0-0x00007FFACC9C5000-0x00007FFACC9C6000-memory.dmp

Filesize
4KB

Download
memory/3516-37-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/3516-38-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/3516-39-0x000000001CA70000-0x000000001CAD0000-memory.dmp

Filesize
384KB

Download
memory/3516-42-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/3516-36-0x00007FFACC710000-0x00007FFACD0B1000-memory.dmp

Filesize
9.6MB

Download