aedcf3fbf86a541786a511b44fc21facd3882f457876d1bc52ee82e2411d1643

Analysis

max time kernel
142s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd9edcc0579c302dc9fb9989d32bdbbc_JaffaCakes118.exe
Size

13.6MB
MD5

bd9edcc0579c302dc9fb9989d32bdbbc
SHA1

c260ff5a05cac4e8f9da5610665ac7157304b860
SHA256

aedcf3fbf86a541786a511b44fc21facd3882f457876d1bc52ee82e2411d1643
SHA512

ec49ce02455636339c8669d193047bb79e533a8c7337299aeec1a47d0c9049d587a764d315a963285d72c621fb11ab7c7eaae7ada673eed04b3f94a9826fba62
SSDEEP

1536:ouFtmwvPkXVFGkAAPSLoeb+uP4OTry+DsMZaHZKGsX:o8t/3klF1Ab+aa+D7Qw

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	bd9edcc0579c302dc9fb9989d32bdbbc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	BXWxf.exe.exe

Executes dropped EXE 1 IoCs

pid	Process
4768	BXWxf.exe.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BXWxf.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4768	4512	bd9edcc0579c302dc9fb9989d32bdbbc_JaffaCakes118.exe	93
PID 4512 wrote to memory of 4768	4512	bd9edcc0579c302dc9fb9989d32bdbbc_JaffaCakes118.exe	93
PID 4512 wrote to memory of 4768	4512	bd9edcc0579c302dc9fb9989d32bdbbc_JaffaCakes118.exe	93
PID 4768 wrote to memory of 1668	4768	BXWxf.exe.exe	98
PID 4768 wrote to memory of 1668	4768	BXWxf.exe.exe	98
PID 4768 wrote to memory of 1668	4768	BXWxf.exe.exe	98

C:\Users\Admin\AppData\Local\Temp\bd9edcc0579c302dc9fb9989d32bdbbc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd9edcc0579c302dc9fb9989d32bdbbc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\BXWxf.exe.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\BXWxf.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\BXWxf.exe.exe" >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:8
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\BXWxf.exe.exe

Filesize
5.1MB

MD5
f5b7992b00bba055b091cfbf77448903

SHA1
96a0a0d23ddc60a1f9bac1a374184fe20271264d

SHA256
745bd9608670bd86263fd5839a15f0822e881dfc4c0b3a8fb61cfe9cce6bde28

SHA512
18d43c5f96f285333db98fdabf3b376000b5e8167954f48429dc21fb231e2aaa1f0ffa0785bcc0bc964a5d5aed27008a4a3a7e5b79cacb46e8890d1f6620ca22

Download Submit
memory/4512-0-0x00007FF9CE355000-0x00007FF9CE356000-memory.dmp

Filesize
4KB

Download
memory/4512-1-0x00007FF9CE0A0000-0x00007FF9CEA41000-memory.dmp

Filesize
9.6MB

Download
memory/4512-2-0x00007FF9CE0A0000-0x00007FF9CEA41000-memory.dmp

Filesize
9.6MB

Download
memory/4512-3-0x000000001C4F0000-0x000000001C596000-memory.dmp

Filesize
664KB

Download
memory/4512-13-0x00007FF9CE0A0000-0x00007FF9CEA41000-memory.dmp

Filesize
9.6MB

Download
memory/4768-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4768-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download