ae81aade7c386630977e933fb01185808c3d99b8f36d41f68a9eec574477149e

Analysis

max time kernel
145s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 09:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe
Size

29KB
MD5

670b7603e0735ffe60b79c980b560b43
SHA1

3a29b388f81180254cefd3fba21b1a15d640cb89
SHA256

ae81aade7c386630977e933fb01185808c3d99b8f36d41f68a9eec574477149e
SHA512

b121049fdba56598f515c4f7bf63bea6bee2f879f624ce720ab88a2c3b65f9b7cce2e75ad608729d516ef909a1ec6def0a01efb940c7065ad219b39684056a3c
SSDEEP

384:KZZZzKeMFrPKOakHXlXrK+y3FmfdC8TywvZlyzjXeh0ru5ESdUrbABWSG86VR:KZZZz5MG3X8TjvZlyzjTrwdoA9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	K4hostElSvc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\K4hostElSvc.exe	670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\K4hostElSvc.exe	670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\temp.vbs	670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 3796	1704	670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe	84
PID 1704 wrote to memory of 3796	1704	670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe	84
PID 1704 wrote to memory of 3796	1704	670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\670b7603e0735ffe60b79c980b560b43_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\system32\temp.vbs"
  2⤵
  PID:3796

C:\Windows\SysWOW64\K4hostElSvc.exe
C:\Windows\SysWOW64\K4hostElSvc.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\K4hostElSvc.exe

Filesize
29KB

MD5
670b7603e0735ffe60b79c980b560b43

SHA1
3a29b388f81180254cefd3fba21b1a15d640cb89

SHA256
ae81aade7c386630977e933fb01185808c3d99b8f36d41f68a9eec574477149e

SHA512
b121049fdba56598f515c4f7bf63bea6bee2f879f624ce720ab88a2c3b65f9b7cce2e75ad608729d516ef909a1ec6def0a01efb940c7065ad219b39684056a3c

Download Submit
C:\Windows\SysWOW64\temp.vbs

Filesize
399B

MD5
d7b283daabf0795298236756398341c4

SHA1
eb7381ddbab5cdcbcd793faaf90acbe16f0467e3

SHA256
7bda7f5c2a024115c33a3be7d2d307b9e8f23ca1ed0c47f25ffe82245f69c43e

SHA512
4d491681d605284b81f8cafbfb4f84d72dc76e12e833a4e4308e9283a9f75078e67453a6a92890a7e0d1b5624382f6fa8eb3c6c8331a99c16058305413c88278

Download Submit
memory/1704-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2284-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download