ffccc382e7d1a080e8f88ac14465ca35ea9c6d4eda84d5c0d87553efd4a527ec

Analysis

max time kernel
148s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
Size

706KB
MD5

df830eb5080f62a3db751c9d52ba8988
SHA1

35d9240031ad0d1a854ad66990779bd6fc7fb956
SHA256

ffccc382e7d1a080e8f88ac14465ca35ea9c6d4eda84d5c0d87553efd4a527ec
SHA512

8c634f34184ab0c27e9f0d94d529e8e116916714b4213c499af482169198f855d49d3827ae9a29a5c64b8b36bfd2f9a7337ad55dd258a6365ac8b57e04927589
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspjf1UZImVU2YFox9we2a:gpQ/6trYlvYPK+lqD73TeGspaZDW2WGL

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1772	ScrBlaze.scr
932	ScrBlaze.scr

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\s18273659	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
File opened for modification	C:\Windows\s18273659	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
File created	C:\Windows\ScrBlaze.scr	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScrBlaze.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScrBlaze.scr

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5080	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
5080	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
1772	ScrBlaze.scr
1772	ScrBlaze.scr
932	ScrBlaze.scr
932	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 1772	5080	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe	92
PID 5080 wrote to memory of 1772	5080	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe	92
PID 5080 wrote to memory of 1772	5080	df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df830eb5080f62a3db751c9d52ba8988_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1772

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d5e7550f47e036389490aeeb91a2132b

SHA1
5559c30fe9bd507c52ee8a00cbba5e8db1506cb5

SHA256
84c968fc04baf4262fdb9bdd2ae818d73beafe0d38e69fc907b36e9202e0e336

SHA512
0775787e2d2512954617945a5a6a242539802014b3abde175cc38bf6e42cbf716dd58ecdb9200a4e247cacd625d9b4fe9cc1cc5128988f4ada4bd869152e8653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174

Filesize
471B

MD5
889dd76ae1cf8142dd6fa0951da93b92

SHA1
2cd978d0dac080b2dafcb1a4844f89df2d62d4af

SHA256
5f93b38339fd55325d70308316707c849f7200784871dfc03628327bdaee1812

SHA512
4b8dc9e4b7d141708f4203deec7f2f3cc2caeb4508433a79d90a77f80f021a4087eb041ee1672333ea8f36209d48914962848deed7d6091b3402bc6abb281d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F

Filesize
471B

MD5
848b5613282a5db0192b8598bc70578b

SHA1
dcc3a332827e1f0c902770051e36bcd1afc67ae3

SHA256
211d5b4509af876058debf19795fdc7588cf349a9fc81f28ab9ec4bb833b0e60

SHA512
049fd7f830345212ac8fda2b1b30721bcf0496a397fb6ab6b1a185694fa04e0cf0957b814b956334ab1491bd1c5884656bba1c4e78fb97297fbd18905fbb65d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635

Filesize
472B

MD5
7f711cb0ff9d05fd8e1aa8f8081fd717

SHA1
ea19a419db486cb779861f7a6dbc889c907b3bf8

SHA256
83ca3fbcaf1de9ab56ccbb4792992c617ae07656703c0569252acd99cce4103b

SHA512
11291257ab3eb4fe93b62c53a53a1d0f439f726d56b5ec1f48ddc61a4d0fb2ec24beee5d776824ef01914ff71b852aaa1d394682b753337992f3c57677321ea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
76dba3f73b711c74a9be6cd8f1a4bcf6

SHA1
ddcb1c061dfa3cefc8cb13f86bf54c1f715c2ec3

SHA256
6d7405242480ee0cdd1803d1cbd605e993221f29e8b9056b377c00d3b4c1bbf8

SHA512
3e30a4a6a77895fada469c9e67f3546138dabe0b43c6b46d801a5d5739d24fc2765ed644c3eb76d2ddf49dc8f112fad657f1f6341df8980e307d0ad68ca28f03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d8e24240e6b9ead2aec4c57818517fc0

SHA1
64de854dc083fd1ac6ddd8daeefcb47e5ee69d2d

SHA256
7f0ce4b2fc67714fe0fbff14cdaa3f3216de7c0026fc74c1c6410140f54f686a

SHA512
5bd0d382c26b4dc1ad9b6edde8dc76f71daf3f4be7511f21a9c91d08d591735c882a34dbd003749218f584558b10bcbd5e1be40bb31c883b80a72adbf712efdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174

Filesize
406B

MD5
28e80f21de682fb6bbfb721b935b1979

SHA1
c51c972e0d109c6a33e6fcb3fde425c6ee205640

SHA256
44636ec28f1db4290cb64f400036097cc82164b6e02cf657e3adf3b99bea7667

SHA512
0434fff333e96051d9caf9bc24886ae18525f57fcf6c3752bac52a26fa4ca7b3d7c13f8ef5a4cb954ef18d71daffd41a60aaca510b5c9704f697a3fbf27eb5af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F

Filesize
410B

MD5
4920867bd78d940e3d4cf7268d9653c1

SHA1
4880889218c40e2fff82f1e6b31966c04b79dcd3

SHA256
f7e656ed5821e2846fec9c64b13f682973277ed9d10b6007571fdf6d73f436ea

SHA512
edeab8c051d7e556421baf21323db7bbafc4ea506eba07159b7629ff7abb43638a4b37172dae88c91d941d9bbe3a53f035b163562bf2325c4f403a04a721e562

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635

Filesize
398B

MD5
b81ebda6b478f6c1a994e7ca976a6bc5

SHA1
779c427b9a2390ee56e3dc11bb81de944e93ac5c

SHA256
97acc3fff84b8892cdbfd358eb5e4f285f05e76a3b7538fd1c1e5bdbfd2a3295

SHA512
70a4d9dfaeb37ba81c86d0033aee46176e463a883db77db8de2a60eb52e8edc10680155feb0cf940181cc451ae67e93172485158b067ccfcb68894d6afa9d804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0U69O7L5\chrome[1].png

Filesize
6KB

MD5
ac10b50494982bc75d03bd2d94e382f6

SHA1
6c10df97f511816243ba82265c1e345fe40b95e6

SHA256
846a9b551e74f824fd7ace3439a319b0c0803449e8caec9f16e2666e38a80efd

SHA512
b6666b540aef6c9c221fe6da29f3e0d897929f7b6612c27630be4a33ae2f5d593bc7c1ee44166ce9f08c72e8608f57d66dd5763b17fec7c1fb92fc4d5c6dd278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0U69O7L5\font[1].eot

Filesize
20KB

MD5
0777a08c974b6e1714a233493bfd26d2

SHA1
ac3584466b9fa8643038f94cb75e73779d28448f

SHA256
eb39019a7b3f5e99681081ca3b5730d747a65690cd0a1b761c52df9c4746172f

SHA512
aa06adc8b1cb75e9342b426c4596fac55f43e1db01f7b1fe472888102ac95c1a242277817010af8d8240e86321267dbb1a2ac26edacefd6c7e3cc6812910f325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0U69O7L5\font[2].eot

Filesize
16KB

MD5
70c0f0ef951a2e8856866e30f22ad27f

SHA1
ed6d4e89e7f003a9fa3320a73141328d8d88bee4

SHA256
770967fee9e6941d5c58bf5c4a5a1f8cf9f675730ca20236dc816cb030a3184a

SHA512
aa012e7048bb8575a3e6ecb510cdb6bddea693fd665566f8f46c945ad5ee05ca62aac8de1bf8d75da61a72a516c5d009cda4add60cfbdea03c31899c60dd55a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\firefox[1].png

Filesize
9KB

MD5
7f980569ce347d0d4b8c669944946846

SHA1
80a8187549645547b407f81e468d4db0b6635266

SHA256
39f9942adc112194b8ae13ba1088794b6cb6e83bd05a4ed8ce87b53155d0e2f7

SHA512
17993496f11678c9680978c969accfa33b6ae650ba2b2c3327c45435d187b74e736e1489f625adf7255441baa61b65af2b5640417b38eefd541abff598b793c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\yt_logo_rgb_light[1].png

Filesize
8KB

MD5
d654f892f287a28026cd4d4df56c29c8

SHA1
98779a55fe32a66ebec8338c838395d265e45013

SHA256
fc6f5d8f32f13d5855840234dc1bff5c91c35318ee2192d99b13eb3572f0bca8

SHA512
3668902aeaf792ad73ba51e0a4caaa520ebc38177791dfac9a9b28026c3bde99e721bf54d626f266a19cfd045a6d2dc8c8e70e53a2c5ee524c6f2736bb0ce409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\THHXO5RX\css[1].css

Filesize
312B

MD5
2494130e2dd81fb40051261cac87fa92

SHA1
08bf1ea9863ee62a66bf9a75161176caa5a11cec

SHA256
ad6e8562d7a6a701d734b60795921409d5449b1806b88ffb1173e832c6da695b

SHA512
5defafa591cbe2fce7b02dbde7b9ff834fb0e5a3da41807978560c292aad11546045f8689d7de4d583c1635012bbcda48b8f49bf0588abe8ef50480fbb2f7134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\THHXO5RX\css[2].css

Filesize
181B

MD5
f407e7b6e7d9fc9da41d84c225ba6dbf

SHA1
2c26b50f87ee2e0d8c2f345106047e2055a147a7

SHA256
df378280434faf25fbbdaf52d145580a12fffdaa2fe3f45f7e24d4cf8f7a13af

SHA512
cc6ff71ed48e437215cd54ab4b527f01935070aeed4e6650c27c0d304eb80b3e7207c859425bd0f770c091c968e45e704c25bec0009dcb5b513823956f7e8528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\THHXO5RX\edgium[1].png

Filesize
6KB

MD5
01010c21bdf1fc1d7f859071c4227529

SHA1
cd297bf459f24e417a7bf07800d6cf0e41dd36bc

SHA256
6fb31acdaf443a97183562571d52ce47dd44c1a8dcb4087338d77ea2617b286e

SHA512
8418d5ac3987ee8b6a7491167b0f90d0742e09f12fceb1e305923e60c78628d494fcd0fee64f8a6b5f6884796360e1e3ec1459dc754bbfb874504f9db5b56135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYI0S376\dinosaur[1].png

Filesize
57KB

MD5
bdda3ffd41c3527ad053e4afb8cd9e1e

SHA1
0ad1bb7ce8d8a4dc8ac2a28e1c5155980edfab9b

SHA256
1a9251dc3b3c064cfc5e2b90b6c7dc3c225f7017066db2b77e49dae90a94a399

SHA512
4dc21ef447b54d0e17ccd88db5597171047112ce1f3f228527e6df079ce2a43a463a3a1e4255828b12f802d70a68dbe40b791852134be71c74de97718b2f1d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYI0S376\opera[1].png

Filesize
2KB

MD5
5cb98952519cb0dd822d622dbecaef70

SHA1
2849670ba8c4e2130d906a94875b3f99c57d78e1

SHA256
02f95fbdb68f232bffd4f2c0fdd033d6c83b829c610cddccc0b1d43e2274e6a7

SHA512
5f29b7459fbd01e16dbd196e4bcddf109af017cccf31337abe1cec6cc5a84711fc2cd34ad7a35d9432a9d7e42ca23d7f6c9d4315396429d7b8e48b9491696afc

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
df830eb5080f62a3db751c9d52ba8988

SHA1
35d9240031ad0d1a854ad66990779bd6fc7fb956

SHA256
ffccc382e7d1a080e8f88ac14465ca35ea9c6d4eda84d5c0d87553efd4a527ec

SHA512
8c634f34184ab0c27e9f0d94d529e8e116916714b4213c499af482169198f855d49d3827ae9a29a5c64b8b36bfd2f9a7337ad55dd258a6365ac8b57e04927589

Download Submit
C:\Windows\s18273659

Filesize
876B

MD5
50876e5311f0897a14a60314b129b2f5

SHA1
bd320331bec8e841300d85ed4e1b96021c3873bf

SHA256
6724ce9fea2067b6a8a7110c50d32b051f963c5d12a15f15b0d2a78b6b39e166

SHA512
97753de688f90d78643f1ee507ad5018d9f6ec4135522a262f1bf32015f016edec10311464bcf0424eeb8d6c2c49d476abf5b43431514df49d5339939217ee6b

Download Submit
memory/932-114-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1772-37-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1772-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1772-76-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/5080-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/5080-73-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/5080-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download