2f59b5053d4faae2414c7af5917df492145016484000485bfbb6a83ed7935f61

Analysis

max time kernel
141s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe
Size

8KB
MD5

837703e662944ec5b5e869d6ad4f0063
SHA1

5a99d4bcf76e6e11dff2ae7e86f71a026509f28c
SHA256

2f59b5053d4faae2414c7af5917df492145016484000485bfbb6a83ed7935f61
SHA512

7997ed048e82357fbbba7134d7bffceeb3703dedbc98cbd1969ec8f33d28c5ac31b7c50be8be21b5c8f5ab5b6e6fae82d79e26eb0e6fb45fd2b369c8489fa270
SSDEEP

96:3jrxEyFlnpkGd3aabLXKWxM/paKEiYzusDuAkPLiUmeFKOeO9XWLOb2D0gcC:3R5Fhp8cdwpHR3AkPLiM79mLU2PcC

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 2592	4444	837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe	92
PID 4444 wrote to memory of 2592	4444	837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe	92
PID 4444 wrote to memory of 2592	4444	837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe	92
PID 4444 wrote to memory of 3472	4444	837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe	96
PID 4444 wrote to memory of 3472	4444	837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe	96
PID 4444 wrote to memory of 3472	4444	837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\837703e662944ec5b5e869d6ad4f0063_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\batfile.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
1⤵
PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4AB0.tmp\batfile.bat

Filesize
97B

MD5
6499570179cede0a97e0ed0a58eb7160

SHA1
58ce4300d6eef5cebfbc1d54883255c66a201f60

SHA256
9e4048a53a7128105380165ff6cd7acad543adfb635f1433403e0465c959e3f9

SHA512
d37903b6de6f5bcaae236ce9307f78eff0855eac7a773e602a67f6ac984682ad9f0c70582b0be9b72eff062271130831ac5f611601cffdf4adb23cf873ea590a

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
183B

MD5
b22964312888cb08de23d922244c464d

SHA1
6908dfbc8f026e2b047ac674bcddbccf50b8f430

SHA256
bd762e243e79c5c6d13eb51eed745f44eb4248e61960cf3790087a779350af2a

SHA512
33b215463acba172abcb2600d096651eb1562cc11eb59910cefb043f42732af304deb1b08f8a84166a75c75f0659d9b82d7fff33d41b9fdd3780bc958e4b58cb

Download Submit
memory/4444-0-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4444-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download