49caadac601106fea44e5865d240e71989b737a27968cf07a585cb6aa7b506d5

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
Size

184KB
MD5

dd8b1b0b9002f34b6de1ce5795af7044
SHA1

21a258520bc8a5752bd301fdc30246e2d7b09cf1
SHA256

49caadac601106fea44e5865d240e71989b737a27968cf07a585cb6aa7b506d5
SHA512

291cdbd385222f9c5569b00446f2288db97a069c56de0f90bbc6e045d8630132a246dc1ce283350ee101a1e9b01a8e6edf4356b637768a0735d433d3b8bf4d28
SSDEEP

3072:6Xj0wZchwJVqMuS4OX0ggDDIotbJKbkrQa:azZ4wzZuS4OXRmDnbJka

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 1328	2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	85
PID 2040 set thread context of 3124	2040	svchost.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	svchost.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
1328	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
1328	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
2040	svchost.exe
3124	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1328	2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	85
PID 2000 wrote to memory of 1328	2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	85
PID 2000 wrote to memory of 1328	2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	85
PID 2000 wrote to memory of 1328	2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	85
PID 2000 wrote to memory of 1328	2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	85
PID 2000 wrote to memory of 1328	2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	85
PID 2000 wrote to memory of 1328	2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	85
PID 2000 wrote to memory of 1328	2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	85
PID 2000 wrote to memory of 1328	2000	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	85
PID 1328 wrote to memory of 2276	1328	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	86
PID 1328 wrote to memory of 2276	1328	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	86
PID 1328 wrote to memory of 2276	1328	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	86
PID 2276 wrote to memory of 2040	2276	cmd.exe	88
PID 2276 wrote to memory of 2040	2276	cmd.exe	88
PID 2276 wrote to memory of 2040	2276	cmd.exe	88
PID 2040 wrote to memory of 3124	2040	svchost.exe	89
PID 2040 wrote to memory of 3124	2040	svchost.exe	89
PID 2040 wrote to memory of 3124	2040	svchost.exe	89
PID 2040 wrote to memory of 3124	2040	svchost.exe	89
PID 2040 wrote to memory of 3124	2040	svchost.exe	89
PID 2040 wrote to memory of 3124	2040	svchost.exe	89
PID 2040 wrote to memory of 3124	2040	svchost.exe	89
PID 2040 wrote to memory of 3124	2040	svchost.exe	89
PID 2040 wrote to memory of 3124	2040	svchost.exe	89
PID 3124 wrote to memory of 1088	3124	svchost.exe	92
PID 3124 wrote to memory of 1088	3124	svchost.exe	92
PID 3124 wrote to memory of 1088	3124	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c run.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      svchost.exe
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\reg.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\reg.vbs

Filesize
292B

MD5
344f0e480669a6cfd147877470601f46

SHA1
64a32bcf575b29267f4d2f1f834ce9cb12640dec

SHA256
258def3e3c6d2f23d29a96209218ba58f40dbe644938452dcfc48fd113a7bea6

SHA512
cd06b8630ac28b936a041566a85dde8f1c799f3dae952540f8bd07845d81ec3dae2f58b12866c9e5c6fdc5357d2cf181e87e61da641f6b2bea46f6ffaa7ef700

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
11B

MD5
d1c56374fff0243832b8696d133b7861

SHA1
f4d236fdec2fd03914189c3b26e5cb0dfea9d761

SHA256
8e8eab0b4bfdc35c5f238935b81298e43970ee6818e9629d725297ebf03838a6

SHA512
e74cbfc425b9779b79dfb6b53dbf3d1451f9f35a766cc5167932b95c9bdb5288b65f9886fbdf3c3b180bf3a8360bfa1ef577b63e3443cae04b49e7ece433c452

Download Submit
memory/1328-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1328-4-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1328-5-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1328-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3124-16-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3124-17-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3124-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3124-22-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download