10627f77dfa2929255b7b58c7a33fc9bdfc573fc965a4d437f97a6c12cd8efed

Analysis

max time kernel
146s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 06:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe
Size

197KB
MD5

eac71bd8a9882bd0ae43ec6027c2d868
SHA1

dd0aa28fbdde656b0122e083f1c595ebcb6ac44c
SHA256

10627f77dfa2929255b7b58c7a33fc9bdfc573fc965a4d437f97a6c12cd8efed
SHA512

e774b66f6df5c64ac5b63f9e50ebd40407311e5c60acea06cd99926ca23cbc73b261ed934c65e157dc71fabedde04a2d65782d582aea2da6fa7423329407d568
SSDEEP

3072:AoZhrQNR9OtTBfAex78fZjk1Qi6T+mPw76dZWouCI4BAl3Q2qdd5VJSz:HrQT9OtTBoy7ujmQdnk6s/4el3Q2qzMz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2404	Adobe Reader.exe
1116	update.exe
3492	update.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	104.155.138.21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
872	3492	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe Reader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
640	eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe
640	eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe
2404	Adobe Reader.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2404	640	eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe	89
PID 640 wrote to memory of 2404	640	eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe	89
PID 640 wrote to memory of 2404	640	eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe	89
PID 640 wrote to memory of 1116	640	eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe	90
PID 640 wrote to memory of 1116	640	eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe	90
PID 640 wrote to memory of 1116	640	eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe	90
PID 1116 wrote to memory of 3492	1116	update.exe	91
PID 1116 wrote to memory of 3492	1116	update.exe	91
PID 1116 wrote to memory of 3492	1116	update.exe	91

C:\Users\Admin\AppData\Local\Temp\eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac71bd8a9882bd0ae43ec6027c2d868_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\Temp\Adobe Reader.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\Adobe Reader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\Temp\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\update.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\Temp\update.exe
    StubPath
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 468
      4⤵
      Program crash
      PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3492 -ip 3492
1⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:8
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\Adobe Reader.exe

Filesize
228KB

MD5
258f73a5bf1433cecfdfd0a54a5a382b

SHA1
768a087f9b9a64fb3c1fefe008dd0bcd8464cff1

SHA256
3a0e98e00775520623025fa164dcb018c8582168478514e741f9e7bff68ef579

SHA512
e561c4dc21412aa2f2cc6bcb0d49edb64872a353b6e9128e3a83e85d951270157f998585d340180bbe2f44c4a9f5cd47e822cea665a5e2649b7690c9798f25b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\update.exe

Filesize
41KB

MD5
1ef59e50de8750177888128fefad689c

SHA1
7cd7726a45946fcfdc3dfdbf9dd5b080fc495b5c

SHA256
8e9205366e93de07008b80e61e0a7aa9526791b8ddfc7be75d1e38264bc9729f

SHA512
4dd038b69c9814ac7d5588e05b8eb4a1e3c5b68d29c469e6795f2e9f36dadd617e07232536db46f5583bf403be85c11cf3c350c18ba8cc5cd7c02d04f4c39a03

Download Submit
memory/1116-16-0x0000000000740000-0x0000000000743000-memory.dmp

Filesize
12KB

Download