017f02862975a1e2f88a43ebc9a107b716e7d194cee020c917c31517f7f6db4c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91f537020640def88963039ee9c9c1b5_JaffaCakes118.exe
Size

306KB
MD5

91f537020640def88963039ee9c9c1b5
SHA1

829eb0589d04ebdb9747d3f2d42a3a6bfd2ebba9
SHA256

017f02862975a1e2f88a43ebc9a107b716e7d194cee020c917c31517f7f6db4c
SHA512

0185987c626097873ea844879ef1ec09ad0c5d490f03bfab77adafd148967de2dcbce2cdc3060f8f872c868b6baae1d0ce19c5b114a91beb881d1adeed7f7d1a
SSDEEP

3072:5oPvnYVRFnCXBWjmMJ6nlNoOjLe2Zr4B+0yPzub9/gfMPWXxyitRUJG0AS/cWXxR:ynnYXFCXBWjH6DoShZWyrW/gTnZqnZt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	91f537020640def88963039ee9c9c1b5_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1416	jj.exe
2108	jj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	jj.exe
2108	jj.exe
1416	jj.exe
1416	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe
2108	jj.exe
1416	jj.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1416	jj.exe
2108	jj.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	jj.exe
Token: SeDebugPrivilege	1416	jj.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1416	jj.exe
2108	jj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 1416	3832	91f537020640def88963039ee9c9c1b5_JaffaCakes118.exe	87
PID 3832 wrote to memory of 1416	3832	91f537020640def88963039ee9c9c1b5_JaffaCakes118.exe	87
PID 3832 wrote to memory of 2108	3832	91f537020640def88963039ee9c9c1b5_JaffaCakes118.exe	88
PID 3832 wrote to memory of 2108	3832	91f537020640def88963039ee9c9c1b5_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\91f537020640def88963039ee9c9c1b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91f537020640def88963039ee9c9c1b5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\jj.exe
  "C:\Users\Admin\AppData\Local\Temp\jj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1416
- C:\Users\Admin\AppData\Local\Temp\jj.exe
  "C:\Users\Admin\AppData\Local\Temp\jj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jj.exe

Filesize
65KB

MD5
76acd3a8c616628fcf95424d7ac7605b

SHA1
ffa098d020eb8fbe46f959e4a76a854a686c56d9

SHA256
b959ea63e028d8b5e4be635b0904765446cca2ae186b4488fe2deab5fd432fcd

SHA512
12aed311eb27e54617cea361f073797d4c4afa3145cfd6ebecf6accba44fe681ecc0b094540a91b483c69f63043d1c185202d8a50fc7ce865ce1247c461f0df2

Download Submit
memory/1416-26-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/1416-25-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/1416-22-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/1416-20-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/1416-18-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/2108-27-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/2108-23-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/3832-4-0x000000001CAA0000-0x000000001CB3C000-memory.dmp

Filesize
624KB

Download
memory/3832-10-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/3832-7-0x000000001CC00000-0x000000001CC4C000-memory.dmp

Filesize
304KB

Download
memory/3832-6-0x0000000001A40000-0x0000000001A48000-memory.dmp

Filesize
32KB

Download
memory/3832-5-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/3832-0-0x00007FF948015000-0x00007FF948016000-memory.dmp

Filesize
4KB

Download
memory/3832-24-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/3832-3-0x000000001C5D0000-0x000000001CA9E000-memory.dmp

Filesize
4.8MB

Download
memory/3832-2-0x00007FF947D60000-0x00007FF948701000-memory.dmp

Filesize
9.6MB

Download
memory/3832-1-0x000000001C050000-0x000000001C0F6000-memory.dmp

Filesize
664KB

Download