2ebcc002e85c9594c1b06c496e824866089161477fe1c73f38ec3cbe88359906

Analysis

max time kernel
121s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f5ca5d824eed35080cf4c7769f847ff_JaffaCakes118.exe
Size

258KB
MD5

6f5ca5d824eed35080cf4c7769f847ff
SHA1

3bec3ed77a41453067b84a3ca7b4d71f5936a9de
SHA256

2ebcc002e85c9594c1b06c496e824866089161477fe1c73f38ec3cbe88359906
SHA512

ceb4a27482d2eaac4f6c3be474a89b993e409e2966ac51220976a7a97b085ad5770b59e000cc51235382e5a48e585417770475ddf5372da61896fa062f0e39ae
SSDEEP

6144:FucJpYeWHw9kzUTYnlSMfosaJb70nF+R3oPuTgjKuQ3:Fuc339ifuJ0nFPzQ3

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	6f5ca5d824eed35080cf4c7769f847ff_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	exe.exe
1572	rsclient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\exe.exe"	exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rsclient.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	exe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1572	rsclient.exe
2656	exe.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2656	1816	6f5ca5d824eed35080cf4c7769f847ff_JaffaCakes118.exe	84
PID 1816 wrote to memory of 2656	1816	6f5ca5d824eed35080cf4c7769f847ff_JaffaCakes118.exe	84
PID 1816 wrote to memory of 1572	1816	6f5ca5d824eed35080cf4c7769f847ff_JaffaCakes118.exe	85
PID 1816 wrote to memory of 1572	1816	6f5ca5d824eed35080cf4c7769f847ff_JaffaCakes118.exe	85
PID 1816 wrote to memory of 1572	1816	6f5ca5d824eed35080cf4c7769f847ff_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\6f5ca5d824eed35080cf4c7769f847ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f5ca5d824eed35080cf4c7769f847ff_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Roaming\exe.exe
  "C:\Users\Admin\AppData\Roaming\exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2656
- C:\Users\Admin\AppData\Roaming\rsclient.exe
  "C:\Users\Admin\AppData\Roaming\rsclient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\exe.exe

Filesize
34KB

MD5
b03a1d088010792fe3ab06a2a61196ea

SHA1
3367c9f077526c71ab10dce88998303078f5749b

SHA256
9b4768bbfe6076c8a88b5d26ca97372a459b8dbdd679468f63de9cd3833e3e13

SHA512
4213e1552a8eaab36c6daa1ca6f0f6984a2f3150468518b738fcb3621048839d2a2624589c5f4df23eede3828aa5a0ab61bdddd505dad314ef03c878d056f373

Download Submit
C:\Users\Admin\AppData\Roaming\rsclient.exe

Filesize
60KB

MD5
2a7cf13acb76bd371fc77250462deb7d

SHA1
1cec85761b0d62cf5da744adc2fb7c35a2934779

SHA256
787c9933b171b34f77439c729bea9cf121c4d1336c5f037f55bb42115efd286d

SHA512
161e315922983a9f729a972a1cb320f1762aff9d0708c68abaf559270ae409454af4496fd076c95ea219a3d9ca2794a0a934c6d4b539899617ff33f6638d8238

Download Submit
memory/1816-0-0x00007FFD160F5000-0x00007FFD160F6000-memory.dmp

Filesize
4KB

Download
memory/1816-1-0x000000001BEA0000-0x000000001BF46000-memory.dmp

Filesize
664KB

Download
memory/1816-2-0x00007FFD15E40000-0x00007FFD167E1000-memory.dmp

Filesize
9.6MB

Download
memory/1816-3-0x00007FFD15E40000-0x00007FFD167E1000-memory.dmp

Filesize
9.6MB

Download
memory/1816-4-0x000000001C4C0000-0x000000001C98E000-memory.dmp

Filesize
4.8MB

Download
memory/1816-29-0x00007FFD15E40000-0x00007FFD167E1000-memory.dmp

Filesize
9.6MB

Download
memory/2656-28-0x00007FFD15E40000-0x00007FFD167E1000-memory.dmp

Filesize
9.6MB

Download
memory/2656-30-0x00007FFD15E40000-0x00007FFD167E1000-memory.dmp

Filesize
9.6MB

Download
memory/2656-33-0x00007FFD15E40000-0x00007FFD167E1000-memory.dmp

Filesize
9.6MB

Download
memory/2656-34-0x00007FFD15E40000-0x00007FFD167E1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads