029bab9aa5f01fe00cb221a516f1764e7f1b8e72d98208fcaa8750dd92bb2abd

Analysis

max time kernel
136s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae14db66cd71b6ba57b07a509f9258da_JaffaCakes118.exe
Size

50KB
MD5

ae14db66cd71b6ba57b07a509f9258da
SHA1

5fcedd3993f8e5004aa68067fe52b7e9b614ca0e
SHA256

029bab9aa5f01fe00cb221a516f1764e7f1b8e72d98208fcaa8750dd92bb2abd
SHA512

baf20614ffb33665ecf04514d47fb3eb009718bf41f4e2d9dc4261b7c4c53dea2a40b3a9f512b634cc77deea9663056228ea2fb9b10abce75ac932205a1e4261
SSDEEP

768:LepHpvCRuviPuvvaVeRMFhMN/L+9n53W+oof/Xox/FEA:qpHpvs5wvaVeR0aVL+qLuoP

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ae14db66cd71b6ba57b07a509f9258da_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4008	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae14db66cd71b6ba57b07a509f9258da_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4008	4844	ae14db66cd71b6ba57b07a509f9258da_JaffaCakes118.exe	84
PID 4844 wrote to memory of 4008	4844	ae14db66cd71b6ba57b07a509f9258da_JaffaCakes118.exe	84
PID 4844 wrote to memory of 4008	4844	ae14db66cd71b6ba57b07a509f9258da_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\ae14db66cd71b6ba57b07a509f9258da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae14db66cd71b6ba57b07a509f9258da_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
50KB

MD5
77776b356b275759a4517fa8a9e468d8

SHA1
a1b584755a0f77a023e5c716f44cadaca60ce19d

SHA256
861903a77529c0f9ff109eb40bd1c9972e14f30ad23ea4386bcca5cdb60e7c99

SHA512
296bb17b4b8952cdbea8f452fcdae5d9d0b9276ccaf518703f0b42874ccd4aaeae6184ad7222b02a80651ed5c52336a9a90a75cef3c21d0a65b80d2f182893f5

Download Submit
memory/4008-12-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/4008-13-0x00000000026A0000-0x0000000002AA0000-memory.dmp

Filesize
4.0MB

Download
memory/4008-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4844-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4844-1-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4844-3-0x0000000002600000-0x0000000002A00000-memory.dmp

Filesize
4.0MB

Download
memory/4844-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download