bb7269b0d1079ec4667d1ed3393ee55a73f01d15046ce7901242153475055585

Analysis

max time kernel
142s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
Size

902KB
MD5

b46db41307407ed8ad54921a7f6884b3
SHA1

12fdc0ade33bdf82be86521553f45149b8873004
SHA256

bb7269b0d1079ec4667d1ed3393ee55a73f01d15046ce7901242153475055585
SHA512

033ec24963e25117317e5c2940a283f0e55307b3718b9a31213b025bd3303df2fa51c4c864e3256a6d772ff7b1dfd161aa8df66fc59517f40b3acc35afcc4965
SSDEEP

24576:Thsrzr6dIwlgVsO5WZaonb5daKrYxZ3wD:ThswxfkAraK0n6

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	tf0.exe

Executes dropped EXE 2 IoCs

pid	Process
3528	tf0.exe
3348	setup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023615-4.dat	upx
behavioral2/memory/3528-7-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3528-44-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tf0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3528	4556	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe	92
PID 4556 wrote to memory of 3528	4556	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe	92
PID 4556 wrote to memory of 3528	4556	b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe	92
PID 3528 wrote to memory of 3348	3528	tf0.exe	95
PID 3528 wrote to memory of 3348	3528	tf0.exe	95
PID 3528 wrote to memory of 3348	3528	tf0.exe	95

C:\Users\Admin\AppData\Local\Temp\b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b46db41307407ed8ad54921a7f6884b3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\tf0.exe
  "C:\Users\Admin\AppData\Local\Temp\tf0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4512,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.log

Filesize
476B

MD5
84e937472bce01463414b0734adfd4c4

SHA1
9e2970548ec898fd4a8af19949fd4372b3f9d0cc

SHA256
78f89af74e0bed2b9e500060025edc9313a8fc456e0ca3b2f432abb459f1b39b

SHA512
2126696feb4d8d54bad88fdef26f3b9c27d0595550b715e848566afa22b938eab3734475e3a4a9f5b285f0913bc2a8bf15f4cc7b000590c084f3bdf5a110b1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
87KB

MD5
e1bdde9c571f9a77306be76cf524fea8

SHA1
6db952be9436329cf1b02cf23ed3217d6385db51

SHA256
885d435cea7a324a9f2394c6eafd6b81f9ee5ea4312993147e11f1681ed170e9

SHA512
3894733be93c3b4874b28eee8fa701a4b9fa112c772c17b0abaae9947d68c17621734db221ea11aa04762e841115c92da052e02cb6bd77dd0f38013b73c41cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tf0.exe

Filesize
837KB

MD5
1d983ced0f8fa9592269637a063cecdd

SHA1
16a8752024874d6d406f08d44e189577692b0536

SHA256
d02068961f5c0a6fd1e7c34b74a3cd8ffe4ce670f8e8109ad293e99201afb852

SHA512
08301cd8e015c526460c24b07447b12f45100a0a466b78c17ecbb2fc36ffc92df473c3cdd3b209393b15ac797ee619eba3449a07f3d7c9f76774ca931c67aaa9

Download Submit
memory/3348-45-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3528-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3528-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4556-43-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download