ee88aeb6b0b48a5b4f0e72f47b45d47cf25a6e2765175f74639e6ea96cf62dbe

Analysis

max time kernel
126s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 02:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a0d653f4a2fa726a636b803d1ffeb07a_JaffaCakes118.exe
Size

96KB
MD5

a0d653f4a2fa726a636b803d1ffeb07a
SHA1

ce84d5af0ecf276b5ddc1963550cc58bf6a5bdf6
SHA256

ee88aeb6b0b48a5b4f0e72f47b45d47cf25a6e2765175f74639e6ea96cf62dbe
SHA512

08fe275aeea1e2d5141604c4bb9700e5f52e79b2b5d1c36b32b3b143888c1a4f1acdde1674de587136dbda39a2ae5bee6c60f0514bd6ee8bac016a032538b70f
SSDEEP

1536:dLTYC4IoMyToQVCkfhKBPlNd2c0VkCL9MDxiPt3aznPvf3CJM3gYZjm1:1T5eTogfUPlNd21VkCLSliwr9I

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	a0d653f4a2fa726a636b803d1ffeb07a_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
960	test.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe"	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	test.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
960	test.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 960	2212	a0d653f4a2fa726a636b803d1ffeb07a_JaffaCakes118.exe	84
PID 2212 wrote to memory of 960	2212	a0d653f4a2fa726a636b803d1ffeb07a_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\a0d653f4a2fa726a636b803d1ffeb07a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0d653f4a2fa726a636b803d1ffeb07a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Roaming\test.exe
  "C:\Users\Admin\AppData\Roaming\test.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\test.exe

Filesize
33KB

MD5
3c0a543b23355cd1c87dc19503421956

SHA1
e933e22f9dbf8cad3b619801bb4d847686bfac91

SHA256
068b71719f0f681d4aef65e73e7996e2c58f52b773493c59a5561321e9e6636d

SHA512
85fa92f8e091d3c5ff2c3a615863842dfc1fa9502aa23dfa80536b9110b872a930ba385c96a151aee4efac2b8d5b221b8ef80fbb7c6e3e520c8e261c00e3ed80

Download Submit
memory/960-18-0x00007FFBC6E20000-0x00007FFBC77C1000-memory.dmp

Filesize
9.6MB

Download
memory/960-19-0x00007FFBC6E20000-0x00007FFBC77C1000-memory.dmp

Filesize
9.6MB

Download
memory/960-20-0x00007FFBC6E20000-0x00007FFBC77C1000-memory.dmp

Filesize
9.6MB

Download
memory/2212-0-0x00007FFBC70D5000-0x00007FFBC70D6000-memory.dmp

Filesize
4KB

Download
memory/2212-1-0x000000001BAE0000-0x000000001BB86000-memory.dmp

Filesize
664KB

Download
memory/2212-2-0x00007FFBC6E20000-0x00007FFBC77C1000-memory.dmp

Filesize
9.6MB

Download
memory/2212-3-0x00007FFBC6E20000-0x00007FFBC77C1000-memory.dmp

Filesize
9.6MB

Download
memory/2212-4-0x000000001C060000-0x000000001C52E000-memory.dmp

Filesize
4.8MB

Download
memory/2212-17-0x00007FFBC6E20000-0x00007FFBC77C1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads