Analysis

  • max time kernel
    84s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 09:35

General

  • Target

    c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe

  • Size

    967KB

  • MD5

    c07392e48322e4efde24d759d27262f5

  • SHA1

    b1c17d7a9ee01164f79aefbab2d9d792648136b1

  • SHA256

    517dc10df7fda0b7334a76c8e34d638562f32f724e45f8f8e91f7729c6c41f2a

  • SHA512

    9ae4e28ea9554801dbfb3ecc15e54c77bf085bc266338993939dcff797702747ab6b7c3a035bdcd145209d2cbf190f513ea07f175160c2d7127e9ddd9d306e16

  • SSDEEP

    24576:5tXCT35bEN60Yc/rMegvH6RK1aeGokgwH8:5KBtV6MjvH6RIrDC8

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nscBE22.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nscBE22.tmp/fallbackfiles/'
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\789.bat" "C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 1 -w 1000
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\789.bat

    Filesize

    214B

    MD5

    739fcc7ba42b209fe44bea47e7a8c48f

    SHA1

    bc7a448a7c018133edcf012bc94301623eb42c5b

    SHA256

    69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

    SHA512

    2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

  • C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\A8A835AC0247414D92C96EC2E92CE1E0_LogFile.txt

    Filesize

    9KB

    MD5

    833860e26b3f534723d959ea629b6bc8

    SHA1

    694111dc04e95081722cfe2e997db698051793e5

    SHA256

    4a5b2f001c920a5e04e242860391df15f6e78fd4d0b3d2a5f419a4d1636805c4

    SHA512

    6aa92e450d4517ceb3b03a2c321cd300d713109a8e9587348e5059363691058cb05c793b8dc2be7187329dee4c1d3a50ca61f0a8a61746896d70540092bcf50f

  • C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\A8A835~1.TXT

    Filesize

    124KB

    MD5

    0bad3d097a9fad0fc4281cf3ae1e1f3d

    SHA1

    1c0cd92bd5ca94fdd96b9bb8796bc5c663b49686

    SHA256

    0720ac35aad0076731a380aac1ed36552f74727368398dc50a5cc8021354841d

    SHA512

    0da321014b0805335f82e8c351ce4a132066ac641091245f9a5a60b899bff538bd0aab0a0f7820c51838c3b97a21346f256a0560c0d56c4df2396853a3ddb4e7

  • C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe

    Filesize

    1.8MB

    MD5

    77bfacca17ee1d89833b57f3a746d9a0

    SHA1

    aa9490c913489c5eafd02f67f875efcb56d23036

    SHA256

    38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52

    SHA512

    21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

  • C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_icon.ico

    Filesize

    11KB

    MD5

    592abe695d3fb84c8a7589b0d2553a97

    SHA1

    d70d6de6fa25ca1924bd02b84075ee94f3870133

    SHA256

    ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0

    SHA512

    a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

  • C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_splash.png

    Filesize

    136KB

    MD5

    0a8589de904eec91522c276d896216c4

    SHA1

    58ba5e9158c3afa3c3112fe1e24567996794c07e

    SHA256

    496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55

    SHA512

    bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

  • memory/4496-268-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB