79eb63111e2c6eb6e67e2d19fea56ec5aedc760ffaa6ef0214b4e12b970f2b60

Analysis

max time kernel
140s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

644d0fed9674a7b1fdf88b137ff5a35e_JaffaCakes118.exe
Size

310KB
MD5

644d0fed9674a7b1fdf88b137ff5a35e
SHA1

ba33e6152f6c3ded466bfda9cb646a617f37679b
SHA256

79eb63111e2c6eb6e67e2d19fea56ec5aedc760ffaa6ef0214b4e12b970f2b60
SHA512

8c7ef9fd2317827f782a25262c519dc543c759b94925e44762bdb985ab40bd3076ce34754b7e4567bbd560a8782352508890107934f85bf306ca9e09de616c81
SSDEEP

6144:El9U+ckTNyvT3Ezzq7WmQWFmaQQg/7Re9FLd:EZpTNQT3SzQWmQomue7RQ9d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	644d0fed9674a7b1fdf88b137ff5a35e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	2152	WerFault.exe	85

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	644d0fed9674a7b1fdf88b137ff5a35e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 384	2152	644d0fed9674a7b1fdf88b137ff5a35e_JaffaCakes118.exe	87
PID 2152 wrote to memory of 384	2152	644d0fed9674a7b1fdf88b137ff5a35e_JaffaCakes118.exe	87
PID 2152 wrote to memory of 384	2152	644d0fed9674a7b1fdf88b137ff5a35e_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\644d0fed9674a7b1fdf88b137ff5a35e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\644d0fed9674a7b1fdf88b137ff5a35e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shell.vbs"
  2⤵
  PID:384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 2008
  2⤵
  - Program crash
  PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2152 -ip 2152
1⤵
PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Shell.vbs

Filesize
678B

MD5
f1d5e2d741e4308b3e18d0049f5c3e5b

SHA1
3b72478c73a278644db5972648c46f4e3ebfc3e5

SHA256
3d74d1aeafe5ffe6453e7e45ed7fba7a2f8b84d75b94028d5f3cfa016b9cd551

SHA512
f720d5d35fefee766ff6ec7f30bc2625515774918a9839196b178d9413fcd4eb6033bb90515b8b9880ec09f34820f8f49d1b530db779f7c70d962aac7327920a

Download Submit
C:\Users\Admin\AppData\Local\Temp\runshell.ini

Filesize
75B

MD5
c5bd446b009cafc868d818c73ae94330

SHA1
ba34e06c864fb9401b87beee91dd00985dead2d7

SHA256
fe1efa83f812b2886bfdaec252d75a09e98bb96c544a761727233909b3510846

SHA512
05494646acfae74736e7fd6dc7263e3379b685cd91eb012361df1521c4773b01824368dfcf384b2a661234c2d6944d17e468d83fdee9327d3ee844cc3af70606

Download Submit
memory/2152-7-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2152-8-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download