849a4be9e804c29b4a6159e5418b67de540acd89b2bd1b6a0f3c34224be427e2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 21:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
Size

477KB
MD5

5dce85ae9d8f764f717db7d52030a79d
SHA1

b43951fa35b17c1797dc670b7e1fc6df1195de2a
SHA256

849a4be9e804c29b4a6159e5418b67de540acd89b2bd1b6a0f3c34224be427e2
SHA512

6de14842741f3e4bf1dea051ecfeb4ed94f08ed7a05112661dd0b1908da17ae3845bc929d8d864554e3bb2ed8d90417d166d41d30cafc685119fff5c1710e11f
SSDEEP

12288:TNodBiTI+TpPA6EZO7KUQRZ66z24VZbdrpgrXN2LWzmidN:ZoPD+TpP3vKU6Z66z24VZbFpgJ2LWzm+

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SHARE_TEMP\Icon6.ico	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File created	C:\Windows\winhash_up.exez	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File created	C:\Windows\winhash_up.exe	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File created	C:\Windows\bugMAKER.bat	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File opened for modification	C:\Windows\winhash_up.exez	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2116	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 2116	4372	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe	84
PID 4372 wrote to memory of 2116	4372	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe	84
PID 4372 wrote to memory of 2116	4372	5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5dce85ae9d8f764f717db7d52030a79d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
90B

MD5
b971d20ddabdd6369f5badb60a483433

SHA1
de6cc8d39a4ab61d2e709f960e4bbdbe20ae4a21

SHA256
1da6e2d88f4bf5c1378402e8552fa83f5319c744838f59bde2eed9cc8b47342b

SHA512
2d97543a34c76a635f73d4dbe870a113169f4d745314aedc379138ef39e7f332ae4f0da47a0f117f96f2984e1955d565d51b30605997e5238d26dea8768a840a

Download Submit
memory/4372-24-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads