7fdaabb625a6180627b307a4f8d533c2eeceef480157c7067849cf20b09fddea

Analysis

max time kernel
134s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
Size

2.0MB
MD5

becbe4f5100b858411dcb51e5719529d
SHA1

553c284d440a34fda1cc3772c98639267002c7a4
SHA256

7fdaabb625a6180627b307a4f8d533c2eeceef480157c7067849cf20b09fddea
SHA512

93c6d25789b7c9d26e5a191569d88cefe5c02f868a6088c2d1ec6d8ddd0643372ab25affaecfa6dc5406addf228d858d92fccbf5f487d2e03d312284423fe679
SSDEEP

49152:LV9yIArXjY4LjAs/p98gieBhDiY6Vt9TRAia2H1:n2jDLn/p8CwXVSia2V

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AeroAdmin	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
536	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
536	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3956	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
3956	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3956	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
3956	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 3956	536	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe	85
PID 536 wrote to memory of 3956	536	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe	85
PID 536 wrote to memory of 3956	536	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1264

C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe" s -sid 1
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe a
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AeroAdminLog.txt

Filesize
114B

MD5
8ba39c4400e7ae02f04a78ee662fc136

SHA1
c30f90133acdc2e92189b7034c394c0e55986534

SHA256
58f0d40a4822e486fa3f855a2e963fb75ae561acad1a6e0858d074e11367ff8f

SHA512
bd785b985e7776df1bda40d8d2b83b20a396e87bc809e986ce45a7c181a0fa5504e51143aa011dc1a87f487f0769fb1c8e2da35002f5b001ecafb39a3dde4bea

Download Submit
C:\ProgramData\Aeroadmin\config

Filesize
657B

MD5
dc1de55ff9a76ee24f6cdbe2d28d8a37

SHA1
d044cc6a20e71c39d779a8890b2da1a26a769ed1

SHA256
76bf7e29e288d4313c2be083b548b9f6c516dd008c37c46f1a6ce0f4632afc48

SHA512
9eaf117fca45fdbb01345637cf10115fa6516fb04ab3bd2680ebff0e8b8268a2ac8529bba0ca80ca67f280fe4182e602a5693f84a349957bff217ff9edad9808

Download Submit