9b3c1ea6879dae39dd688b0d21bb1649b46fa813c7b06729c5b3f318f5592dd5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 15:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d241e75b0cf4206723b436e31ce2008f_JaffaCakes118.exe
Size

98KB
MD5

d241e75b0cf4206723b436e31ce2008f
SHA1

67dcebf6f8db41f940bbbe8dde289a1515b6977c
SHA256

9b3c1ea6879dae39dd688b0d21bb1649b46fa813c7b06729c5b3f318f5592dd5
SHA512

172d0bcf2118af0a42ef0b5fffd7632440e3543c6f4d7fbe13d03fd5e1bf6fe1c2eaf603d8905e360cf05d5dfc6f46e384f36c9e38c1e382faefd24a34cf6d2b
SSDEEP

1536:K8Xxqb8dZo2dykXZLC5/EMEdIbYLo7cIJXw09TVMmy5TsRJ3kAPiihxuC6yq4mM:AAdZoeysRYcdPLG9Bw4MmATqkjIDx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	d241e75b0cf4206723b436e31ce2008f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d241e75b0cf4206723b436e31ce2008f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2636	1068	d241e75b0cf4206723b436e31ce2008f_JaffaCakes118.exe	86
PID 1068 wrote to memory of 2636	1068	d241e75b0cf4206723b436e31ce2008f_JaffaCakes118.exe	86
PID 1068 wrote to memory of 2636	1068	d241e75b0cf4206723b436e31ce2008f_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\d241e75b0cf4206723b436e31ce2008f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d241e75b0cf4206723b436e31ce2008f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Mjp..bat" > nul 2> nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mjp..bat

Filesize
238B

MD5
e9a908afec2277860cb1aae4a11cf98d

SHA1
781348467978b3d049f793ec510cf6c1877dbcfb

SHA256
822e9cd41148033b46629fab5bf143f94b717170ef64efa992b8e439df706896

SHA512
fdaeba1652c1a0ed05eea0f23c27c560a1d7df9b2d62fe3f82187112276902b1f00ff38a6f41ea5e42460a7d862b6f95cd81c2f1e4951cdd542e19c39d010f4a

Download Submit
memory/1068-0-0x00000000021B0000-0x00000000021DD000-memory.dmp

Filesize
180KB

Download
memory/1068-1-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1068-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1068-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download