30960433f2998c30b8c6469f98c02f2893ff0df494cb9f904d48324653177bdd

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe
Size

105KB
MD5

d3ad1ecc7fe80f49e5c32f11d148697d
SHA1

0c7f50917b96e4d6cd791ae61cb95a7b5f7b479a
SHA256

30960433f2998c30b8c6469f98c02f2893ff0df494cb9f904d48324653177bdd
SHA512

7ad498f6b8b31252d92a50d7068f59d34aeb2ef954cc2e4b611a8a75c07e3ccd5380ce1e38e9f0aa6cfaa4ba9160a451600affb53ec39ce567934f00610c414e
SSDEEP

3072:3ZlsN/vCtko2SYgnZoRHdrHx5GXBwLWNIz:JlsNJo2ShZoldrPGXB5Iz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4908	GB1DC-tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GB1DC-tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 4908	2512	d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe	84
PID 2512 wrote to memory of 4908	2512	d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe	84
PID 2512 wrote to memory of 4908	2512	d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe	84
PID 2512 wrote to memory of 4796	2512	d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe	87
PID 2512 wrote to memory of 4796	2512	d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe	87
PID 2512 wrote to memory of 4796	2512	d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3ad1ecc7fe80f49e5c32f11d148697d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\GB1DC-tmp.exe
  C:\Users\Admin\AppData\Local\Temp\GB1DC-tmp.exe http://creatonsoft.com/drv32.data "C:\Users\Admin\AppData\Local\Temp\GB1DD-tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\68XY2BI1\DJPMVR9D.htm

Filesize
1.6MB

MD5
27efc0770d042bc148ed00f1f95ff1e7

SHA1
7418df7ecbc4c23b805b17b238b89c54f2548c97

SHA256
ab92df33f95ee28a506cddd007dc0e6308a3ff441eb07c720e83478148ef2f9c

SHA512
be832a75a5b564bbbb88494f9e46510225f11d5afb812d296ebabe17923ab958849aeb06635e0d54f7a52d735f6f81b2430351b9cf63e4302e59231232ad3e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB1DC-tmp

Filesize
149KB

MD5
b433088a544ac4f2307108af859da646

SHA1
9ef08188ba1a20d2f0cb5a76435de75a11a57c14

SHA256
315ae503e54fc45b70f2c0c2567a9f40144f2ac0555f43be3e5106d2ca4da277

SHA512
db44bc16d5a97f9df662881070e32dcedf92d40658d42c6fd8b3efe26217100e4ca2b743c5243fd5ac81e98873cf7acad039d6b7de12ed9d13ee2df399166e3e

Download Submit
C:\tmp.bat

Filesize
50B

MD5
6185e113c0e4b4cf2b8914db0612a5fd

SHA1
8294f49c5a5e2512430fff51bd5cc34b801d8f98

SHA256
3906df457fedeadd7c608bef288ce5b37703c740ed0982571b76dfc8cc1f1958

SHA512
123383bec7f8e6bf6b60d794e72e92c4ecc60e88ca064a8b5ba425021b6fac3ec9c383100cd50d52771fdf589f9dd9fb8a262f16092b185ed1e4bc822d55b9c6

Download Submit
memory/2512-0-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2512-32-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/4908-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download