16a9459a71e9f5b694fb4323e43affc3c6dba050ea7d389684c36d0faf5878cd

Analysis

max time kernel
143s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 23:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

61d9e988eade69c6acde5a053d291044_JaffaCakes118.exe
Size

797KB
MD5

61d9e988eade69c6acde5a053d291044
SHA1

ad49a1a376d557c53b75a34b87264deddcdddd8e
SHA256

16a9459a71e9f5b694fb4323e43affc3c6dba050ea7d389684c36d0faf5878cd
SHA512

034338f98bc89b4d159498712c5698a2b8f0fcb9c494cd39c50efced6ffa8a085655a79f44ef78ed8bbc51b97615ff6b6ce2bec833829c9124a102fcf06ecc07
SSDEEP

6144:5ALU8xEuTboDiSPuEmFXqROGW2KCGbEY5BwnK9msAy95Gkd58W4kbbbiccchgmgi:GL5/0DEEmcROGWMGbrwnKH78W

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	61d9e988eade69c6acde5a053d291044_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1988	tmpA430.tmp.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1168	1988	WerFault.exe	87

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1988	2944	61d9e988eade69c6acde5a053d291044_JaffaCakes118.exe	87
PID 2944 wrote to memory of 1988	2944	61d9e988eade69c6acde5a053d291044_JaffaCakes118.exe	87
PID 2944 wrote to memory of 1988	2944	61d9e988eade69c6acde5a053d291044_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\61d9e988eade69c6acde5a053d291044_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61d9e988eade69c6acde5a053d291044_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\tmpA430.tmp.EXE
  "C:\Users\Admin\AppData\Local\Temp\tmpA430.tmp.EXE"
  2⤵
  - Executes dropped EXE
  PID:1988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 776
    3⤵
    - Program crash
    PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1988 -ip 1988
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA131.tmp.EXE

Filesize
210KB

MD5
82cc09013ccbb9ef865551a4f3d2e573

SHA1
a6284e25c666f625c4b5ed3a146cd35549085f7f

SHA256
e1e8ab2c13f5dfd522f1c932d6fa21919ab63f159fe55473a172212aee328f5b

SHA512
48ed020a44f30b132536ea7a0cb677f0788483e106f556dc07b61a71efca73f8c04b90c12c64a061666c62db4dba102fd028ac2004808309c5ee3c79b40eff3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA430.tmp.EXE

Filesize
580KB

MD5
36138cf598785bc29e02f332043e66af

SHA1
0a030c252c705bcd51b9f28aad2ccb2ad3fa7d12

SHA256
73e21ee7c6a397571ca29eeb563bf12caa7bd5166a6aeb6c9d1b0b6ad81c4235

SHA512
c281bcb7fd215ea69693c02779aa500a7a627e814cb25246d8c08aaf8e6b172d8285df702254a05b637ede34ab4a5ab8601df5487c90d73b56fa5f775f8958f8

Download Submit
memory/2944-20-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download