f3442220948be10ac6b5a0fc6b7d54e12ea5d93ed6ef8963ae927d9359df60d3

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe
Size

167KB
MD5

672743cfe4e8b7ab9d0d79e32165ff70
SHA1

783ec1a765c0d0e73fb0a382d57285bf1a7f9ce2
SHA256

f3442220948be10ac6b5a0fc6b7d54e12ea5d93ed6ef8963ae927d9359df60d3
SHA512

3af74958bc765a8bfa93437168df21ba44d8ac8a1b006ec15084dfe672f9dd57555f552446f729aa593b42f1bd987f700ac4e2c9418a59d1f24669b46ea55059
SSDEEP

3072:tVX+U5ON1N662FEsc9xLFepY5/zuiGpDXozm9x7Zy4yb4+Hosfbn:Y6/cvLEq5LuVpDlz7wzo4j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3288	msn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	3288	WerFault.exe	86

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 3288	3964	672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe	86
PID 3964 wrote to memory of 3288	3964	672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe	86
PID 3964 wrote to memory of 3288	3964	672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\msn.exe
  "C:\Users\Admin\AppData\Local\Temp\msn.exe"
  2⤵
  - Executes dropped EXE
  PID:3288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 468
    3⤵
    - Program crash
    PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3288 -ip 3288
1⤵
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msn.exe

Filesize
147KB

MD5
c02bdd7f5ddeeb62f1d63d90c0000134

SHA1
a46ac18bb69f7a6b864653a1f28ac4c3b6c0603c

SHA256
afac3fdc2f4ddb65a65b8fdf1b90c76ee5b482a0d854a38b87e9a29e89757dc6

SHA512
01841365baa1a171d5f577a0463f001f71a5a999ecd5f984bb6fa6a1016fccbac9e404d2ea93249f80a38cf074155a9850c99edd3a647b4dfefa221c0fa7cdcd

Download Submit
memory/3288-8-0x0000000000010000-0x000000000002E000-memory.dmp

Filesize
120KB

Download