c0bf55587a6d4e6cf807d5c4a2c4388969b05cd2f178b6ff8f22771b21537314

Analysis

max time kernel
140s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe
Size

77KB
MD5

5a3b362f9186d9be228f0f18a86f782c
SHA1

8e1dffd4d2f3b99ec23eafab0787649c0148ffe6
SHA256

c0bf55587a6d4e6cf807d5c4a2c4388969b05cd2f178b6ff8f22771b21537314
SHA512

b27418d4089fdf23091b202e3fa8de183b8bb1aedd6757643aa0bef6b1f4c1072a7b8e68a98c3a38af6844485cc213155eb2441809e8daa391093286f9d1f399
SSDEEP

1536:HKql9mQgoiKzs8faOGN8A71qDQzZt7fGHuWiHCj/PZk7wqWypWyy2:AloxGhSAWWZxOHv1Zk7wgWyy2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qqmmck.vxd	5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B2E816-2CEF-4345-8758-7699C7C9935F}	5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B2E816-2CEF-4345-8758-7699C7C9935F}\	5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B2E816-2CEF-4345-8758-7699C7C9935F}\InProcServer32	5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B2E816-2CEF-4345-8758-7699C7C9935F}\InProcServer32\ = "C:\\Windows\\SysWow64\\qqmmck.vxd"	5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B2E816-2CEF-4345-8758-7699C7C9935F}\InProcServer32\ThreadingModel = "Apartment"	5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1444	3920	5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe	94
PID 3920 wrote to memory of 1444	3920	5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe	94
PID 3920 wrote to memory of 1444	3920	5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a3b362f9186d9be228f0f18a86f782c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saonv.bat" "
  2⤵
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\saonv.bat

Filesize
48B

MD5
c0ed6840d533fddb1ebca40d4dee935c

SHA1
3d44c6eb19fd8743f67790fcd0fee6e4f45fa1cb

SHA256
f53b6bfd4cb0a98886fbb104892061efe06ea1b6b706dcb2a8728e60bfae4183

SHA512
ffedff65c26981bb25fc7aa15b218b9286fc1553da67f88075e9e48069d93d6e9528ce6944d442bbefdd462b9038eb09c58bc9b1f9564a3dc6251a36ee6a7f1e

Download Submit
memory/3920-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3920-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download