4dbabfd2f7b0b29e9c53a9af04ac4e58d6545f1e504b1ccf3cc9251b1faff7c8

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 00:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e5677f445e632845166c551434bdfbb_JaffaCakes118.exe
Size

195KB
MD5

5e5677f445e632845166c551434bdfbb
SHA1

72913924c72f7c4e5fecd63a045f268d3ea31aae
SHA256

4dbabfd2f7b0b29e9c53a9af04ac4e58d6545f1e504b1ccf3cc9251b1faff7c8
SHA512

9090d0b767533d09f38eb9e0465d797dff5db88689b56017d849db49638ac9b3f5058791ebccfcac07e3340327d36a671238c440c1c3d4d07ded5f15b4bcba0a
SSDEEP

6144:2zG8nriOnW/rGgGCY9DOwyYqY5P02iMK5:O1DYrDY9eYr02lK5

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	5e5677f445e632845166c551434bdfbb_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe	5e5677f445e632845166c551434bdfbb_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1628	server.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	5e5677f445e632845166c551434bdfbb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	5e5677f445e632845166c551434bdfbb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1628	server.exe
1628	server.exe
1628	server.exe
1628	server.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 1628	3656	5e5677f445e632845166c551434bdfbb_JaffaCakes118.exe	86
PID 3656 wrote to memory of 1628	3656	5e5677f445e632845166c551434bdfbb_JaffaCakes118.exe	86
PID 3656 wrote to memory of 1628	3656	5e5677f445e632845166c551434bdfbb_JaffaCakes118.exe	86
PID 1628 wrote to memory of 3408	1628	server.exe	56
PID 1628 wrote to memory of 3408	1628	server.exe	56
PID 1628 wrote to memory of 3408	1628	server.exe	56
PID 1628 wrote to memory of 3408	1628	server.exe	56
PID 1628 wrote to memory of 3408	1628	server.exe	56
PID 1628 wrote to memory of 3408	1628	server.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\5e5677f445e632845166c551434bdfbb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5e5677f445e632845166c551434bdfbb_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe

Filesize
50KB

MD5
3f5b738dfeb30e63c7e33e7bf30c89fc

SHA1
cc0627b4287e9ed01a0be29d525554759a55e154

SHA256
e809fb386ed9ef7e16f324df2050d1c78df7223524999ce67e75269bf4409637

SHA512
a667b01b0c4f04d4eee2556e620428ff318d6e15849d7d8117a9ef1fc50b8e31594efee7c484903071e5164b32e3f1ee8f2a4212245fecdd7caddb19c0cddb7a

Download Submit
memory/1628-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1628-26-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1628-34-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1628-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3408-27-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/3408-29-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/3656-23-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download