65d9d0fd82104c4e2a7b543e6af43ae52f59c1ef3c792934e313a2ee373e2050

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
Size

355KB
MD5

4c2c7c74fc6b83081a6869f6ad2369b1
SHA1

86210af55b1a7c9f6eae43efb1ef6cbd8a0cb7fd
SHA256

65d9d0fd82104c4e2a7b543e6af43ae52f59c1ef3c792934e313a2ee373e2050
SHA512

9371e06a903f463e499d128dec6aec344dcb7841e3cc277f7ff96b737e7f0770d1bf88d67f89636718745b5ff1c778019d0ea0020923327580b8b8791d6b7133
SSDEEP

6144:VlbKGP2ooonp+EY8lNlq3OPe0SlmAGYmhwr:nKronkelNOmhw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	.exe

Executes dropped EXE 4 IoCs

pid	Process
4232	.exe
2948	.exe
4992	.exe
2052	.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MsHx.dll	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MsHx.dll	.exe
File created	C:\Windows\SysWOW64\.exe	.exe
File opened for modification	C:\Windows\SysWOW64\MsHx.dll	.exe
File opened for modification	C:\Windows\SysWOW64\MsHx.dll	.exe
File opened for modification	C:\Windows\SysWOW64\.exe	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\.exe	.exe
File created	C:\Windows\SysWOW64\.exe	.exe
File created	C:\Windows\SysWOW64\.exe	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1524	2052	WerFault.exe	99

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
4232	.exe
4232	.exe
4232	.exe
4232	.exe
4232	.exe
4232	.exe
2948	.exe
2948	.exe
2948	.exe
2948	.exe
2948	.exe
2948	.exe
4992	.exe
4992	.exe
4992	.exe
4992	.exe
4992	.exe
4992	.exe
2052	.exe
2052	.exe
2052	.exe
2052	.exe
2052	.exe
2052	.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 1996	3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe	85
PID 3120 wrote to memory of 1996	3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe	85
PID 3120 wrote to memory of 1996	3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe	85
PID 3120 wrote to memory of 4232	3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe	87
PID 3120 wrote to memory of 4232	3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe	87
PID 3120 wrote to memory of 4232	3120	4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe	87
PID 1996 wrote to memory of 3728	1996	net.exe	88
PID 1996 wrote to memory of 3728	1996	net.exe	88
PID 1996 wrote to memory of 3728	1996	net.exe	88
PID 4232 wrote to memory of 2128	4232	.exe	89
PID 4232 wrote to memory of 2128	4232	.exe	89
PID 4232 wrote to memory of 2128	4232	.exe	89
PID 4232 wrote to memory of 2948	4232	.exe	91
PID 4232 wrote to memory of 2948	4232	.exe	91
PID 4232 wrote to memory of 2948	4232	.exe	91
PID 2128 wrote to memory of 2156	2128	net.exe	92
PID 2128 wrote to memory of 2156	2128	net.exe	92
PID 2128 wrote to memory of 2156	2128	net.exe	92
PID 2948 wrote to memory of 3648	2948	.exe	93
PID 2948 wrote to memory of 3648	2948	.exe	93
PID 2948 wrote to memory of 3648	2948	.exe	93
PID 2948 wrote to memory of 4992	2948	.exe	94
PID 2948 wrote to memory of 4992	2948	.exe	94
PID 2948 wrote to memory of 4992	2948	.exe	94
PID 3648 wrote to memory of 4652	3648	net.exe	96
PID 3648 wrote to memory of 4652	3648	net.exe	96
PID 3648 wrote to memory of 4652	3648	net.exe	96
PID 4992 wrote to memory of 4556	4992	.exe	97
PID 4992 wrote to memory of 4556	4992	.exe	97
PID 4992 wrote to memory of 4556	4992	.exe	97
PID 4992 wrote to memory of 2052	4992	.exe	99
PID 4992 wrote to memory of 2052	4992	.exe	99
PID 4992 wrote to memory of 2052	4992	.exe	99
PID 4556 wrote to memory of 3700	4556	net.exe	102
PID 4556 wrote to memory of 3700	4556	net.exe	102
PID 4556 wrote to memory of 3700	4556	net.exe	102

C:\Users\Admin\AppData\Local\Temp\4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c2c7c74fc6b83081a6869f6ad2369b1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:3728
- C:\Windows\SysWOW64\.exe
  C:\Windows\system32\.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:2156
- - C:\Windows\SysWOW64\.exe
    C:\Windows\system32\.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:4652
  - - C:\Windows\SysWOW64\.exe
      C:\Windows\system32\.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        6⤵
        
        PID:3700
    - - C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 436
        6⤵
        Program crash
        
        PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2052 -ip 2052
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\.exe

Filesize
355KB

MD5
4c2c7c74fc6b83081a6869f6ad2369b1

SHA1
86210af55b1a7c9f6eae43efb1ef6cbd8a0cb7fd

SHA256
65d9d0fd82104c4e2a7b543e6af43ae52f59c1ef3c792934e313a2ee373e2050

SHA512
9371e06a903f463e499d128dec6aec344dcb7841e3cc277f7ff96b737e7f0770d1bf88d67f89636718745b5ff1c778019d0ea0020923327580b8b8791d6b7133

Download Submit
memory/2052-23-0x0000000000400000-0x000000000045CE00-memory.dmp

Filesize
371KB

Download
memory/2948-12-0x0000000000400000-0x000000000045CE00-memory.dmp

Filesize
371KB

Download
memory/2948-19-0x0000000000400000-0x000000000045CE00-memory.dmp

Filesize
371KB

Download
memory/3120-0-0x0000000000400000-0x000000000045CE00-memory.dmp

Filesize
371KB

Download
memory/3120-8-0x0000000000400000-0x000000000045CE00-memory.dmp

Filesize
371KB

Download
memory/4232-6-0x0000000000400000-0x000000000045CE00-memory.dmp

Filesize
371KB

Download
memory/4232-14-0x0000000000400000-0x000000000045CE00-memory.dmp

Filesize
371KB

Download
memory/4992-26-0x0000000000400000-0x000000000045CE00-memory.dmp

Filesize
371KB

Download