5f8067e2275a30dea6e5412b871eb08b6982b61ce5f52b6913664ab9f1bb2fa2

Analysis

max time kernel
131s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 21:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe
Size

965KB
MD5

87b4ff7171f46f3cd034df5477503527
SHA1

db807fa90dd23590757935b07cde276269ebc77c
SHA256

5f8067e2275a30dea6e5412b871eb08b6982b61ce5f52b6913664ab9f1bb2fa2
SHA512

c54e0f91cddb38ef19ba7fa9dc65e8f8f78e92a4b8c03e24d3b7f34f5b5c1beed81e43f7c8f1ca3bf36b3567e75e7286559fcd6e1f832bd600676db78f10a524
SSDEEP

24576:BwuFhCwUuqDluBMfEhJX3z5mKhwbLeIygA:jhxqDosEL3F/w+IA

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
924	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe
924	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
924	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe
924	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 3496	924	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe	87
PID 924 wrote to memory of 3496	924	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe	87
PID 924 wrote to memory of 3496	924	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe	87
PID 924 wrote to memory of 3468	924	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe	89
PID 924 wrote to memory of 3468	924	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe	89
PID 924 wrote to memory of 3468	924	87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87b4ff7171f46f3cd034df5477503527_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\smes\u.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\smes\u.bat

Filesize
44B

MD5
704efba1aee1454561da552dda430498

SHA1
d20fb96683f769eb9cef1b0a068bcba70aeab9c2

SHA256
80b08d35bd27636e0774ce35ab57306f76edc6a0f7058cb1f93733cdf88bf94c

SHA512
7e0c9ede686238703af4893af8842c05c48ab1681ae273b32d8085cf1a17aae946c0c823a0a418787522a551d684367259ff8203ebca6e4ec69b6ded95231bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr7204.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr7204.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat

Filesize
135B

MD5
1b7f36e8a3b33102cc555de3a7f4ce95

SHA1
452cfcc1ee7a48a82771590a6ee704eccc0d5b52

SHA256
41b98544dbce714a056e677beb162dae1de90f9848d8becf4ca80868fd9086ab

SHA512
2be176b7f7edda85e356aec4d4efe07244a2f6ca6b7b5d8e011426b6ebe997ec02f6b2b12f294b2103207bacf83e6489be29f946a603ea0d45f9e1e77322654f

Download Submit
memory/924-5-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download