55b5295c2ed6606ce5fee474e8bd1cfff37bb370ac1f0104bd6fcececcec3e79

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce727c3a654fa61e158612da6641be31_JaffaCakes118.exe
Size

14KB
MD5

ce727c3a654fa61e158612da6641be31
SHA1

fb440353e308a5d1af52f4db3c8f7887291338c7
SHA256

55b5295c2ed6606ce5fee474e8bd1cfff37bb370ac1f0104bd6fcececcec3e79
SHA512

6cbdc7d3fcac46b577a80ab4aaf00bd3a35309394e5a21a22a4d77b82bea01fb4f8f0affdf68bef53c9bb8991b39018eeff38ed14122dd97b5cdd0c475851ec7
SSDEEP

384:aI0xK3JYm8q+G80La8uYFZzy4QWxQz+wZ:4xEum8U80iaRBzi

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	ce727c3a654fa61e158612da6641be31_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
4824	ce727c3a654fa61e158612da6641be31_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001e553-1.dat	upx
behavioral2/memory/4824-3-0x0000000071000000-0x0000000071010000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2500	4824	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce727c3a654fa61e158612da6641be31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 3624	4824	ce727c3a654fa61e158612da6641be31_JaffaCakes118.exe	95
PID 4824 wrote to memory of 3624	4824	ce727c3a654fa61e158612da6641be31_JaffaCakes118.exe	95
PID 4824 wrote to memory of 3624	4824	ce727c3a654fa61e158612da6641be31_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\ce727c3a654fa61e158612da6641be31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce727c3a654fa61e158612da6641be31_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 260
  2⤵
  - Program crash
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240631265.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4824 -ip 4824
1⤵
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240631265.bat

Filesize
269B

MD5
f227d8c064843efff0c7b74dc2f7786f

SHA1
47eed0ebfd8c368d8d6fe14273ca204ee77727b4

SHA256
b1c2467987069ea0357a7b97fd90143980bc59acc352f26211de88da854899d4

SHA512
b4f0f0eabc731f11ea9f17e8d1a6802f36c893b425bb92243a811979be7ec68682f0cbe876588b2e13c35af0b10a37d2532db508ae7375b75ad17a5d355b3de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll875.dll

Filesize
21KB

MD5
8244b3ddf32e68f50b0be9b779dc7a12

SHA1
99b96b820c77db05eb6348e3ef273fb4ad9b2526

SHA256
1d7b2e7cf658191342abb4e58b60c9c6c9e405166b84f322c736f8c41bc461d8

SHA512
1aef14217460e9a041952c3ff7f80fe3f1263e46b3c1725db49d7f5e468979e3fbeb9c20eebbe7d1868b75d9eb911d2f441413309dec43e1e9e0410732400118

Download Submit
memory/4824-3-0x0000000071000000-0x0000000071010000-memory.dmp

Filesize
64KB

Download