1e0091cbf9a90e8c811d6f5c570c6e5d13d28423b520c35a6eeb22b5d7e51f10

Analysis

max time kernel
132s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ce17c21270c0d34224ffce8f36d004_JaffaCakes118.exe
Size

52KB
MD5

75ce17c21270c0d34224ffce8f36d004
SHA1

3d648cde0023395163daf2ab209db6390f22785d
SHA256

1e0091cbf9a90e8c811d6f5c570c6e5d13d28423b520c35a6eeb22b5d7e51f10
SHA512

0dbcc7f08e325248b0e0ca33e75a7f0f237507f81d845996d565c8a3c5512a1d759b6fffa46873bafb4fdec700061ecfc12ac199a82d6b8e675699f1823f3733
SSDEEP

768:7CzzXxc/eKP5yHiRr4rdH1j44J6nUYuKt/SG1gUg7:Ozbxhm5RRrmH1j4qnc/31gb7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	75ce17c21270c0d34224ffce8f36d004_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
860	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
860	server.exe
860	server.exe
860	server.exe
860	server.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 860	2404	75ce17c21270c0d34224ffce8f36d004_JaffaCakes118.exe	87
PID 2404 wrote to memory of 860	2404	75ce17c21270c0d34224ffce8f36d004_JaffaCakes118.exe	87
PID 2404 wrote to memory of 860	2404	75ce17c21270c0d34224ffce8f36d004_JaffaCakes118.exe	87
PID 860 wrote to memory of 3460	860	server.exe	56
PID 860 wrote to memory of 3460	860	server.exe	56
PID 860 wrote to memory of 3460	860	server.exe	56
PID 860 wrote to memory of 3460	860	server.exe	56
PID 860 wrote to memory of 3460	860	server.exe	56
PID 860 wrote to memory of 3460	860	server.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\75ce17c21270c0d34224ffce8f36d004_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\75ce17c21270c0d34224ffce8f36d004_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
072bb1bc105201f1f544b81545e61cf1

SHA1
03680467c993baac75159a537c65ab522975e005

SHA256
ff419326409fa69ca50ebd1d99874dfdc110bdf949021ddb7f98957258ebe59a

SHA512
d50d20e03b407b1316333bb8aaabd92deac6c6338cff17f9f90611458a48119462138f8d2f379f3f92ca2fdf18d01edb6d1f7702290610f1eb35dd63baece314

Download Submit
memory/860-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/860-19-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/860-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2404-6-0x000000001CDF0000-0x000000001CE96000-memory.dmp

Filesize
664KB

Download
memory/2404-5-0x00007FFF80E60000-0x00007FFF81801000-memory.dmp

Filesize
9.6MB

Download
memory/2404-0-0x00007FFF81115000-0x00007FFF81116000-memory.dmp

Filesize
4KB

Download
memory/2404-4-0x0000000001A00000-0x0000000001A08000-memory.dmp

Filesize
32KB

Download
memory/2404-3-0x000000001C9A0000-0x000000001CA3C000-memory.dmp

Filesize
624KB

Download
memory/2404-17-0x00007FFF80E60000-0x00007FFF81801000-memory.dmp

Filesize
9.6MB

Download
memory/2404-2-0x000000001C430000-0x000000001C8FE000-memory.dmp

Filesize
4.8MB

Download
memory/2404-1-0x00007FFF80E60000-0x00007FFF81801000-memory.dmp

Filesize
9.6MB

Download
memory/3460-18-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/3460-21-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download