a7b2d37b5da9225c351f67330424ba596c30dbd7dc74cd89492ff6eba8747a9e

Analysis

max time kernel
133s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5d12e4eab8122fe69060b5292a2a932_JaffaCakes118.exe
Size

741KB
MD5

a5d12e4eab8122fe69060b5292a2a932
SHA1

30d9ac77e8c41ce3370c684f73d5b5ec93431fd0
SHA256

a7b2d37b5da9225c351f67330424ba596c30dbd7dc74cd89492ff6eba8747a9e
SHA512

32a04bbd5c81c460188f737a9592ce05ee276f41981e08a704aafd90f5fca26f33194de19a7eedadd1a044b6937846ac3f0fd47ac35ae59748c899391c83ce43
SSDEEP

12288:/430KrWkT5knhbOuL7ryfYqZx8QSuQ3euwiMEt82ROb2HYZuoU08crO2tkDjch23:/4khkSnhbh3bqZx8sQ3KiM+tRzHzoUtd

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	a5d12e4eab8122fe69060b5292a2a932_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1604	Downloader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5d12e4eab8122fe69060b5292a2a932_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Downloader.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\IESettingSync	Downloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Downloader.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Downloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Downloader.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1768	a5d12e4eab8122fe69060b5292a2a932_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1604	Downloader.exe
1604	Downloader.exe
1604	Downloader.exe
1604	Downloader.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1604	1768	a5d12e4eab8122fe69060b5292a2a932_JaffaCakes118.exe	85
PID 1768 wrote to memory of 1604	1768	a5d12e4eab8122fe69060b5292a2a932_JaffaCakes118.exe	85
PID 1768 wrote to memory of 1604	1768	a5d12e4eab8122fe69060b5292a2a932_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\a5d12e4eab8122fe69060b5292a2a932_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5d12e4eab8122fe69060b5292a2a932_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Downloader.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Downloader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Downloader.exe

Filesize
1.1MB

MD5
bce11944af81a6656c4d889e766ed0fa

SHA1
cdb2ab789e1c1faf3441c378a305fbe6a4ebdc55

SHA256
bd1338bd5f2256042b0aa4c8627e4ca199f70b68984fa02fc00588a722569500

SHA512
ec4acf04152d91945d75c7ee3485ae3ae2425325d6cc299087ac526570804cf1afd3c83c25312e7c32f12329f286a63a7d650577b650f6c11dd7dea2a4190d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\License.mht

Filesize
57KB

MD5
557a8fc97dcc4b234c22d525439b1f38

SHA1
26a231b1190cd869d1cef94f99ed6b3aea796301

SHA256
5701735de92ae626254b029aa900a02a114e515ddb85a837d8f4a11e77ea0752

SHA512
225ba1ec655fb90a31b6f22a9ba4a05426a1abd91c093988d6aec70a24372bca31df743c59702884a0d0f0c6f9951ef39e24b27db4da6f2344ec444e1580a5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\down_lang.ini

Filesize
1KB

MD5
ff74668ae138a8006c330e1014293e20

SHA1
d3cbc1dffaf770032d16294e7901a29ccf1f6ac3

SHA256
80862314aa540560f34f6fbabd660c3d711f5a3f3d815ae0f77f337b31d2dba4

SHA512
361eeae7738d213a05368a597e1a41a16863b71765490c6633ba84bba850afdc9adf1f504e99345432f52c503a85f4f65ad8d7777b1bc08314ffc88a9687b99c

Download Submit