a4e742c0849d9ae7add5475a8b6a22e232db8b3e35e3001d767a766f81da6e9a

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe
Size

278KB
MD5

ee50c66daed5b9a1fbec8028d88b886b
SHA1

7e6bac474116d7adbaac60fda6848e156bb5a945
SHA256

a4e742c0849d9ae7add5475a8b6a22e232db8b3e35e3001d767a766f81da6e9a
SHA512

284cbde3362d224d42395c51c05d7ad87870eea7c3436cc681bab79aa81a54bc01a49011aea0bc2cfa94aa3bf80b33b8135e46092fd40345d2365a54c18142be
SSDEEP

1536:OXs9wrnUh4d7ygVpn0uv77P11gqu87Nyofs/eB:OXYw4+dGgLn0sP11gqEofIeB

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.yesimcopy.com
Port:
21
Username:
yesimcopy1
Password:
825cyf

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4168	jusched.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ab11216d\jusched.exe	ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe
File created	C:\Program Files (x86)\ab11216d\ab11216d	ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe
File created	C:\Program Files (x86)\ab11216d\info_a	ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\2tdU3eap.job	ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 4168	3772	ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe	86
PID 3772 wrote to memory of 4168	3772	ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe	86
PID 3772 wrote to memory of 4168	3772	ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee50c66daed5b9a1fbec8028d88b886b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Program Files (x86)\ab11216d\jusched.exe
  "C:\Program Files (x86)\ab11216d\jusched.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ab11216d\ab11216d

Filesize
17B

MD5
6ff89798e0e63d75115c777af43a2cd9

SHA1
e8b994ccbbe64951afe91fc3dd377f88fe6c9ba8

SHA256
3b3947957c6e0abb19d91b256521bdb3826d88d9b7b53995e177a58cebf0d479

SHA512
46557f9bf6f5c5b3316891a9b623a7d11d8d8ff1973ca84cfbcf8d898746f2dbded7fee837c9a70c2e36f9b46a357fe2ba53585bf5307950d2fef6ee1dcb28a3

Download Submit
C:\Program Files (x86)\ab11216d\info_a

Filesize
12B

MD5
c7c5fc9bd2d577eadaf046ae7ba9a9bb

SHA1
e44b707efab99043e5400928ca750269e425ab60

SHA256
c68fe94e69b456bba66568fff2a9904ceb832548d9896231f305efcaa253ec5c

SHA512
f8cb24a7343f085362d30485f880cd4fcad678ce41f78f913215ee01a4eee979627fa9255a0ba1481720d46b33af17ab97f27d6897a3ebeb27417d70fc0b20c0

Download Submit
C:\Program Files (x86)\ab11216d\jusched.exe

Filesize
278KB

MD5
b33731df52396059150830f230dd3526

SHA1
056fd68bd78045b23d9ae1f37d6747fb6abcfd59

SHA256
25fc7a9802c8f1e48e20a9f591c3d2a7f460a060ae96ce81dbc9da7a04019304

SHA512
45c78ec1c0a491386d0b3f829e4d4056f670b023f8c6b9c962c2539ab32ca5c4cf2231f3a76a424c6f341588df927c0d9f1a24df11f421dc70b6f5e578593d01

Download Submit
memory/3772-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3772-16-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4168-15-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4168-19-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download