1a87da4a149ce9ab69b67000e6855182f4f1eede9864bad925eab6a85d13ff1e

Analysis

max time kernel
138s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe
Size

160KB
MD5

8ebe91c35cef43c0c54e02fe2029972a
SHA1

4327bcd62bcc7eed8db3565cd17fb21b2e6548df
SHA256

1a87da4a149ce9ab69b67000e6855182f4f1eede9864bad925eab6a85d13ff1e
SHA512

840f05a1d6ea611f538bc4dec7450b694793d0809ebe19f1affe1f78ca354f09bf97bd2e01a54aa1f0b0343f90a76c67fdf85e6a2d26c9709e9cab713851b5fe
SSDEEP

1536:aygV/7HPS70fbFkFRPxF6wDLJKIKgyg9bWGsXI4EshcEq:aygtjPO0BYnfLJKIKgyg9YFHxq

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3332	regperf.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regperf.exe	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regperf.exe	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ld100.tmp	regperf.exe
File opened for modification	C:\Windows\SysWOW64\ld100.tmp	regperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regperf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3332	regperf.exe
3332	regperf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2332	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe
Token: SeDebugPrivilege	3332	regperf.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3332	2332	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe	87
PID 2332 wrote to memory of 3332	2332	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe	87
PID 2332 wrote to memory of 3332	2332	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe	87
PID 3332 wrote to memory of 612	3332	regperf.exe	5
PID 2332 wrote to memory of 3480	2332	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe	88
PID 2332 wrote to memory of 3480	2332	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe	88
PID 2332 wrote to memory of 3480	2332	8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe	88

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ebe91c35cef43c0c54e02fe2029972a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\regperf.exe
  C:\Windows\system32\regperf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\8EBE91~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\regperf.exe

Filesize
68KB

MD5
710abb30c0459811648ec7399914a169

SHA1
53eeddb90c5333c19e819e27c8c9f8ff09acb6dc

SHA256
3698a5f489b56844ccbaa50a632eda896ac5563b6c0a7156e3561acdfe5cf274

SHA512
69499f4e38b5c56d6eff6a16af24a34bd7ab5bcdbd7278f2a84fc76a98316e7081d037f9e189a0c9f3127919f45b5d3f21b320703c034e689e991051fdf44b1a

Download Submit