5c2455a73fe66c33bd63b44d6aa8df897a864961e903656d478152ab5f0c1e29

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240729-en
resource tags

arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe
Size

22KB
MD5

789916948f7f5cf6a5fac15ba5d24cee
SHA1

89e2634a8130b84fadc26901c3171e3673714d21
SHA256

5c2455a73fe66c33bd63b44d6aa8df897a864961e903656d478152ab5f0c1e29
SHA512

457656a08afedc45526bcf2672f86ebc2bad385b7e59f0c6272e468c6cb043d0f69a501e39aa1a163341dde805c727384dd2a3300748c7dde3d982ce48f75028
SSDEEP

384:yVbPoWFjWqg+QfHd9Xe4YuyOhhxFEOkrpEXwM81QInoKPFW5oQUVdfQbz:kbpFjz/aneo1xKO8EXleoKNWyhkz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation	789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3628	2412	789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe	86
PID 2412 wrote to memory of 3628	2412	789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe	86
PID 2412 wrote to memory of 3628	2412	789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe	86
PID 3628 wrote to memory of 940	3628	cmd.exe	89
PID 3628 wrote to memory of 940	3628	cmd.exe	89
PID 3628 wrote to memory of 940	3628	cmd.exe	89
PID 2412 wrote to memory of 4076	2412	789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe	90
PID 2412 wrote to memory of 4076	2412	789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe	90
PID 2412 wrote to memory of 4076	2412	789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\789916948f7f5cf6a5fac15ba5d24cee_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile1.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start DATA\Mini_vMac.exe DATA\hfs24M.DSK
    3⤵
    - System Location Discovery: System Language Discovery
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile1.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfile1.bat

Filesize
51B

MD5
674c62787d4997f5f74a43b731ad1bee

SHA1
7b36c6c91300a226a1916278c2c2f17ff1e8434f

SHA256
3cbe0d4c7781308bba00f4f86a2393e9f8ef99ca22cbc0cb099ce9aceea1b87e

SHA512
0a1aa2b4afb81c94d6dca225f973228908d11c2501202c7fc9e0bc22c49625a32ea5353e6c3dba0faf805bc3300ea4213342ee829bdaf11dbc82b97dd966ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile1.bat

Filesize
108B

MD5
97cf84fb6a711ab45f8dfcdbd17fd4d1

SHA1
8ffa3a6617cc027bf3c53dcda4037bcaa264755c

SHA256
6e484f53953f60b8815ce3a93ec6a6df03919802170553f644c96b0cd2db5418

SHA512
e9ced65e865995399c081722e9912d26d6d7b80133aaaa8d24a1339f20dd1e19ac48f5b595c8b0885566e8024aa992a5d52e85f76c0944c17382542bcc294a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile1.tmp

Filesize
206B

MD5
84c36935ddfd0dc5028683bbeb759a3c

SHA1
2f8cb46f5697e380b062837ce3cc9adf23638c38

SHA256
163d7fa34c218672a769015695d7fdec73dc8221dcc1ebbfd697ff9fe52d9e01

SHA512
053f56739320714ceb09c04ac728a896530be0e1f0a6eeb58ae970326f8fc91d074e51c8a10a8cdf8595876bcee7d7267e96996070c5ab0d387b795bf15c9177

Download Submit