Analysis

  • max time kernel
    96s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 23:53

General

  • Target

    d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    d551d69690bafce20d6785ca09a212de

  • SHA1

    3bc295ab9dc3b2489110bd257b6a670fc0658bc8

  • SHA256

    187cbb78da4f5243104761c4915f9383ef0ace87c8afb0199e9cb8c99f46ffd1

  • SHA512

    a4084248936bc316ad6f5f49926bf1ef274c65c703677fa049bb8ad497deb84cadb5b93c98b16c3fdc1c91cd148a40c72353d109b13217c2ccf8ad375b743c4e

  • SSDEEP

    24576:bNA3R5drXad7+o0xab9qHt/2kybJdUc1jZFQYcHO6l1l:G5C7/0xK9U/2kybJX1jZ63Tl

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Users\Admin\e8948g1482\nqodgtlmm.exe
      "C:\Users\Admin\e8948g1482\nqodgtlmm.exe" nxujkrdul.xhc
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\e8948g1482\nqodgtlmm.exe

    Filesize

    646KB

    MD5

    a3e8113ff31e86152d4a384dab4ea102

    SHA1

    28cabe6b57d14f6dd47a880c51bc9726d017989f

    SHA256

    d06ea150b0a83b9cf2ef63fdafc9e79a23bfa004c9f42d526499329e0ab1c977

    SHA512

    f34d79e3984e819c2e86e9b75c27985f7f4d8696bd3bf18447b697e127db3f76c707369336925ae941f95053d4e83d1684356d479be2295114d654bb24efb290