b812ceb9eb6693551a7ff8978c6066cc563340531f815ac38f34696a82b997d1

Analysis

max time kernel
140s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 18:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

60e535fb4fa0da9ad6925ea08b36b351_JaffaCakes118.exe
Size

146KB
MD5

60e535fb4fa0da9ad6925ea08b36b351
SHA1

d3c9dcc9a1dde52dabd088cd31f4adf03aebee5e
SHA256

b812ceb9eb6693551a7ff8978c6066cc563340531f815ac38f34696a82b997d1
SHA512

06b4dbd6f38e4942c950f6df6da4092405123a4c96bdebbec4016b1f3efc0a6fe53e980e1d2269cea60a64d72e04cba519a36a6244ab9b27f57c3bb029bd1aea
SSDEEP

3072:T6+O+RsMr4xwT+I0WRCIjTYCobhsX0vlJRcWYc+qFrayvuXIMufolY:T6T+Rdr46+lNCoQ2/Bmqrayv/oO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	60e535fb4fa0da9ad6925ea08b36b351_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4800	2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\2.exe	60e535fb4fa0da9ad6925ea08b36b351_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2220	4800	WerFault.exe	84

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1652	60e535fb4fa0da9ad6925ea08b36b351_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 4800	1652	60e535fb4fa0da9ad6925ea08b36b351_JaffaCakes118.exe	84
PID 1652 wrote to memory of 4800	1652	60e535fb4fa0da9ad6925ea08b36b351_JaffaCakes118.exe	84
PID 1652 wrote to memory of 4800	1652	60e535fb4fa0da9ad6925ea08b36b351_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\60e535fb4fa0da9ad6925ea08b36b351_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60e535fb4fa0da9ad6925ea08b36b351_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\2.exe
  "C:\Windows\2.exe"
  2⤵
  - Executes dropped EXE
  PID:4800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 224
    3⤵
    - Program crash
    PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 4800
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2.exe

Filesize
128KB

MD5
8176379d3a0efa9de7be3be8f60bd3c2

SHA1
a02c5f78e0773c43c874f0520978f8f0090b6928

SHA256
a6a2e99504faa0cb5270964cb3e518eaba3c29d2011d601098e7a87c54118864

SHA512
c447dc9c93e350fc6d9f47cdac7f9ddd00491cd6771477ad88e09fcde56f6b653cbfd8d7043a1b199f17aeb827f9138ba348387d484c5bb24ae25b1a3ba039af

Download Submit
memory/1652-0-0x0000000000400000-0x0000000000426200-memory.dmp

Filesize
152KB

Download
memory/1652-11-0x0000000000400000-0x0000000000426200-memory.dmp

Filesize
152KB

Download
memory/4800-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4800-10-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download