b152f7bd3eb844c0df044a72c44b83f6a01ec7cab3a4ede1e3e8053554498031

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

824199573c216eb291634340682e673e_JaffaCakes118.exe
Size

93KB
MD5

824199573c216eb291634340682e673e
SHA1

4bebc107a323cd17cc1b70b3b4ae804c7fb09ba5
SHA256

b152f7bd3eb844c0df044a72c44b83f6a01ec7cab3a4ede1e3e8053554498031
SHA512

ee2f7a2f67c730eb111e1d27d0ee879558473197b0a44b57cc6c62f6b278445e58e1487e13ce62bf87260b5b709daefe5ab031fcea452ce7bd3bdb619adfe43d
SSDEEP

1536:JcHB9bZy2vYmcPBEbnm3o7Wxwh+2qIZv4eVLSwl:JcHB9bZyGcPBEbn/7JhDweJ5l

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\Control Panel\International\Geo\Nation	824199573c216eb291634340682e673e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2516	fffffffffffffffffff.exe
3656	fffffffffffffffffff.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 3656	2516	fffffffffffffffffff.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	3656	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	824199573c216eb291634340682e673e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fffffffffffffffffff.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2516	1072	824199573c216eb291634340682e673e_JaffaCakes118.exe	86
PID 1072 wrote to memory of 2516	1072	824199573c216eb291634340682e673e_JaffaCakes118.exe	86
PID 1072 wrote to memory of 2516	1072	824199573c216eb291634340682e673e_JaffaCakes118.exe	86
PID 2516 wrote to memory of 3656	2516	fffffffffffffffffff.exe	87
PID 2516 wrote to memory of 3656	2516	fffffffffffffffffff.exe	87
PID 2516 wrote to memory of 3656	2516	fffffffffffffffffff.exe	87
PID 2516 wrote to memory of 3656	2516	fffffffffffffffffff.exe	87
PID 2516 wrote to memory of 3656	2516	fffffffffffffffffff.exe	87

C:\Users\Admin\AppData\Local\Temp\824199573c216eb291634340682e673e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\824199573c216eb291634340682e673e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\fffffffffffffffffff.exe
  "C:\Users\Admin\AppData\Local\Temp\fffffffffffffffffff.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\fffffffffffffffffff.exe
    "C:\Users\Admin\AppData\Local\Temp\fffffffffffffffffff.exe"
    3⤵
    - Executes dropped EXE
    PID:3656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 220
      4⤵
      Program crash
      PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3656 -ip 3656
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fffffffffffffffffff.exe

Filesize
62KB

MD5
efdbde7f0750d45fa352113cca7ba086

SHA1
130cbf530c510e7a2fe5acb50df9d35494f4c558

SHA256
2b212556f61791c99e5b6bd446ba9aefc7aa7e85d63154fd9ba83d6f96c0c25f

SHA512
0ec5657d260e655cdeeeca267cbb666440b0c6f9b19196681f50e06ef042858cb7a592117ca7707a1ebefaf5ee58e9e63cd8afd3d70e66cf6bb022ade5d93127

Download Submit
memory/3656-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3656-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3656-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download