fa8ffc661b7c40b7ae1a90c692202819f602af728e6845c05e26526ae16294a1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 12:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

63305a0c00e17dcf5020e8f0fad7e4af_JaffaCakes118.exe
Size

120KB
MD5

63305a0c00e17dcf5020e8f0fad7e4af
SHA1

c86bfa43ea85f58543d20696aff2351d5f9a8518
SHA256

fa8ffc661b7c40b7ae1a90c692202819f602af728e6845c05e26526ae16294a1
SHA512

789767bf15b51593d3f981138b1d1aac3bd77f86757c1aa7b8a47fbc1b3d4449fc26be0d61ba2ff894629b69f17c81000900af1de6acb790fbe7741aecd587e9
SSDEEP

1536:5kKjSb0xp2u61AJkPmqOQJCns3o6DR9WWHr+JAlFlGWGbDlN4/bGWIJB/mKEOc:5kPbF2JthWDRp+IbGWG+bXIJB+D5

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	63305a0c00e17dcf5020e8f0fad7e4af_JaffaCakes118.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2084-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2708	2084	63305a0c00e17dcf5020e8f0fad7e4af_JaffaCakes118.exe	87
PID 2084 wrote to memory of 2708	2084	63305a0c00e17dcf5020e8f0fad7e4af_JaffaCakes118.exe	87
PID 2084 wrote to memory of 2708	2084	63305a0c00e17dcf5020e8f0fad7e4af_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\63305a0c00e17dcf5020e8f0fad7e4af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63305a0c00e17dcf5020e8f0fad7e4af_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Jzp..bat" > nul 2> nul
  2⤵
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jzp..bat

Filesize
238B

MD5
ae9469a43491cffee4f1eb35d243c7eb

SHA1
7db70b6914fe486d68cef760a1ba21c86aa000ea

SHA256
c25af8633e7bd774eaaeff667b8ebc63d1c881da77d7f6f27e0e99b7f0238d63

SHA512
0ca4de31c6fd481a00aa11252a988166db6e0f9f837d82305a078af8ffd2b15e3ae683203dd3caf96a44ce96b825ecaaac549994ad7cde61b98a947bd8870d2d

Download Submit
memory/2084-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2084-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2084-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2084-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2084-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2084-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download