8c30b9555c2fd0adf894a2b7bab272cdee27b507dcf0c2909c4b079716095a92

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49c9f67f8d9feb5659126fcfff84b6d9_JaffaCakes118.exe
Size

160KB
MD5

49c9f67f8d9feb5659126fcfff84b6d9
SHA1

8398b9e7557403a604a522a8b9d9d2a0058b29c0
SHA256

8c30b9555c2fd0adf894a2b7bab272cdee27b507dcf0c2909c4b079716095a92
SHA512

95d32090db3238c37c9bab00b0f5425b3cc6730ba123b7d703ffeb55a0f215ae0a227d19265a0123b45a13fc308f25b753e6e384a3b2c67ed69649e75350edfc
SSDEEP

3072:7kKZpCS0uj/jn8R6BgBwJfZqH7mTNbap2VftOphUh:7kaUSXzjGBGfYbQOp4fW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	49c9f67f8d9feb5659126fcfff84b6d9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2412	2920	49c9f67f8d9feb5659126fcfff84b6d9_JaffaCakes118.exe	86
PID 2920 wrote to memory of 2412	2920	49c9f67f8d9feb5659126fcfff84b6d9_JaffaCakes118.exe	86
PID 2920 wrote to memory of 2412	2920	49c9f67f8d9feb5659126fcfff84b6d9_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\49c9f67f8d9feb5659126fcfff84b6d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49c9f67f8d9feb5659126fcfff84b6d9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Dfb..bat" > nul 2> nul
  2⤵
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dfb..bat

Filesize
238B

MD5
f5da462149cf788e97f2c6f5d4cbfdef

SHA1
dcab1228c6d298e6ce4aa41556d6c167f995321a

SHA256
b88e1c2f7c96ed9c9cc241bd1d0ede04c61b927ebed249de580f12e6cd08f245

SHA512
560ef5874d238c89f372d1bb2e948b50928c868ffbd337042da438ae32789a9b345e200c9fd2b4e8bec8ad106701977e103f40e47caab6b9864070b1503747db

Download Submit
memory/2920-0-0x00000000021D0000-0x00000000021FD000-memory.dmp

Filesize
180KB

Download
memory/2920-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2920-3-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2920-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2920-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download