bbd6ab9b45768fc524009df808635974bead3e79d887de6fd73fc84ac9c7dac6

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe
Size

494KB
MD5

d144276564e42a5f6e5659c239c44084
SHA1

d9c984a7e14fb1a0286f60f9a48edd27c1b637b8
SHA256

bbd6ab9b45768fc524009df808635974bead3e79d887de6fd73fc84ac9c7dac6
SHA512

05a6e17c56d95cba81e44e8c93448e1f2c60db82213092f443a157a34bbc5528b0b75618544278b28886727cd81d4aadfacf2a9d88d273822f39ae7b3762f0d3
SSDEEP

6144:wWt1qBqBc0Agdj4Xz3c1OsOIZmwtweGUfT3w8M7pvi0hTaKohdS7b6l+RGY12Ak7:nt1qBKd24XdZmowMNCvi0TeXS71ZUAk7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	BiffBot2a.exe

Executes dropped EXE 3 IoCs

pid	Process
2000	BiffBot2a.exe
1792	TibiaBoT.exe
4872	BiffBot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BiffBot2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TibiaBoT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BiffBot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3864	d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 2000	3864	d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe	83
PID 3864 wrote to memory of 2000	3864	d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe	83
PID 3864 wrote to memory of 2000	3864	d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe	83
PID 2000 wrote to memory of 1792	2000	BiffBot2a.exe	85
PID 2000 wrote to memory of 1792	2000	BiffBot2a.exe	85
PID 2000 wrote to memory of 1792	2000	BiffBot2a.exe	85
PID 2000 wrote to memory of 4872	2000	BiffBot2a.exe	86
PID 2000 wrote to memory of 4872	2000	BiffBot2a.exe	86
PID 2000 wrote to memory of 4872	2000	BiffBot2a.exe	86

C:\Users\Admin\AppData\Local\Temp\d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Users\Admin\AppData\Local\Temp\BiffBot2a.exe
  "C:\Users\Admin\AppData\Local\Temp\\BiffBot2a.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\temp\TibiaBoT.exe
    "C:\Windows\temp\TibiaBoT.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Windows\temp\BiffBot.exe
    "C:\Windows\temp\BiffBot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BiffBot2a.exe

Filesize
321KB

MD5
8c7600127b2584dba97050fddc3cd1f1

SHA1
9fec0af2af8290c486395e065e3be8e385ebd3f4

SHA256
5d034b4e3eacd41bd7155498ff6a8cb0ac355b9bf2c7fc85870182da00dbac76

SHA512
80b56aace544503267f7cafc3da41b0b52c23f80e4555be92c66de0f743d1b6900df055c7f3d3abbe059c3094d9bae0c85db4391c8ac813a016127b727754495

Download Submit
C:\Windows\Temp\BiffBot.exe

Filesize
485KB

MD5
10dff69269aa2fdda505d37e93f2e190

SHA1
a8bba23298384539cdba3851178473dde14599cf

SHA256
dfbef6e1f4d8d04731bc3b5ac10fd75ee21240dd1328a7aa4c88f4188f62d109

SHA512
ce3e0eddf03be16816951569a9beb0bfefc6762ea66c9f57db6002042016d3b24e258f62a037ce4461808a7dbeafe6aade3fb7291c3ca74a037d4b64703dfe19

Download Submit
C:\Windows\Temp\TibiaBoT.exe

Filesize
208KB

MD5
548820d1a0f4aa38c43893cd41f15eea

SHA1
12c7bac058f67096ca12beb277603e13315b2ae5

SHA256
8e08c5b42d51af4e62a4b8cee5cb40766403e9daed8d92c42aa83a891268c813

SHA512
a996fec0cb5f44f57876beff582b35bb796b16f2a8d9b776b7ef9645f41c64e8a077646a8cf9142b9f165399e1af479a0d1605c6cf111c68d80fe77e222e2bfe

Download Submit
memory/2000-34-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download