d0a57a81ef1bc1c9759ef78934684820a368b912e3ca880ac79a50a8db8e3cb9

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 13:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe
Size

383KB
MD5

cfabfe42c6e3848783d21ae723e7420f
SHA1

3e24471ca6890d7cbf4f4ef5bea48b7cdcf6f5c5
SHA256

d0a57a81ef1bc1c9759ef78934684820a368b912e3ca880ac79a50a8db8e3cb9
SHA512

e9c69df6a6148336fe4ada448587aa17c917692eb28ab60c414727a9804790a58a34dd9ca1f9bb7f0e925a13ad3b0778c8a088e8f0dc8e49eac573fd9cdabd77
SSDEEP

6144:oZuuObR8sVImcyYgWxJU/I7UwdB3G94XBFez6StX3Sm39QJ0Dsp2nA8c6mPmwh3:PV+mzIVbFez6SlGiTeWE3

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 5048	3076	cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe	86
PID 3076 wrote to memory of 5048	3076	cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe	86
PID 3076 wrote to memory of 5048	3076	cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe	86
PID 5048 wrote to memory of 320	5048	mshta.exe	88
PID 5048 wrote to memory of 320	5048	mshta.exe	88
PID 5048 wrote to memory of 320	5048	mshta.exe	88
PID 3076 wrote to memory of 4680	3076	cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe	90
PID 3076 wrote to memory of 4680	3076	cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe	90
PID 3076 wrote to memory of 4680	3076	cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe	90
PID 4680 wrote to memory of 376	4680	mshta.exe	91
PID 4680 wrote to memory of 376	4680	mshta.exe	91
PID 4680 wrote to memory of 376	4680	mshta.exe	91

C:\Users\Admin\AppData\Local\Temp\cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfabfe42c6e3848783d21ae723e7420f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" "javascript:new ActiveXObject('WScript.Shell').Run('Devourer_3.0_2202223931485.bat -Open',0);window.close()"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Devourer_3.0_2202223931485.bat" -Open"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:320
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" "javascript:new ActiveXObject('WScript.Shell').Run('Devourer_3.0_2202223931485.bat',0);window.close()"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Devourer_3.0_2202223931485.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Devourer_3.0_2202223931485.bat

Filesize
286KB

MD5
0c8cf67991456280feb797f2d47295f6

SHA1
fc5819fa8f39ae5904c22a254ee269798fbf465e

SHA256
bb430e977ade78e1d0fdddd6ead35c12666f8e2d8495dc45ab1b4a17681b4ded

SHA512
d57243a98c5de36723f0dd19162d1afae4c430f0470beb9ee80231d79190f2cf79e02477733f7b4f3179072e0c26da4b02f0098102eb2592d757c0baf209e0c4

Download Submit
memory/3076-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download