7c3881f125cc849f8dc14f0245782273e7d6953e729c43058065cffddac9a387

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe
Size

196KB
MD5

eebeaee66abe3c5cca60f77526907728
SHA1

c772914d3ce1babb4b8da007fe8800a87ff7b5eb
SHA256

7c3881f125cc849f8dc14f0245782273e7d6953e729c43058065cffddac9a387
SHA512

0857e83c9f1316be5e902585a7ece22a151e1592dedbabd8e8374bd09a1e588ba13deecd49b69d951d03ae2bf2131d5f68df4b89d75e5fb66e170918a9689aef
SSDEEP

1536:iXs9wrnUh4d7ygVpn0uv77P11gqu87NhofgDdBq:iXYw4+dGgLn0sP11gqTofgZE

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.alizametal.com.tr
Port:
21
Username:
alizametal.com.tr
Password:
hd611

Extracted

Credentials

Protocol: ftp
Host:
ftp.yesimcopy.com
Port:
21
Username:
yesimcopy1
Password:
825cyf

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4984	jusched.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\4d0277fb\jusched.exe	eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe
File created	C:\Program Files (x86)\4d0277fb\4d0277fb	eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe
File created	C:\Program Files (x86)\4d0277fb\info_a	eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4984	4244	eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe	87
PID 4244 wrote to memory of 4984	4244	eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe	87
PID 4244 wrote to memory of 4984	4244	eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eebeaee66abe3c5cca60f77526907728_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Program Files (x86)\4d0277fb\jusched.exe
  "C:\Program Files (x86)\4d0277fb\jusched.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\4d0277fb\4d0277fb

Filesize
17B

MD5
6ff89798e0e63d75115c777af43a2cd9

SHA1
e8b994ccbbe64951afe91fc3dd377f88fe6c9ba8

SHA256
3b3947957c6e0abb19d91b256521bdb3826d88d9b7b53995e177a58cebf0d479

SHA512
46557f9bf6f5c5b3316891a9b623a7d11d8d8ff1973ca84cfbcf8d898746f2dbded7fee837c9a70c2e36f9b46a357fe2ba53585bf5307950d2fef6ee1dcb28a3

Download Submit
C:\Program Files (x86)\4d0277fb\info_a

Filesize
12B

MD5
02d54089aebc1aaa6518ea9b639e7283

SHA1
4d55864fbe480e43658dc0c4071595d11d3e264c

SHA256
c12d358fa7bfe78102f34c75966a06cf42f9d3d73483a444cff792115d7d6e12

SHA512
d44c27cd38ecb81440669996c2fafff17e91c8320fea4f0f78a106ca588d277aa562b2fa4c268bd805664fa3bd6a53d9e10b1bfa4f477cc5cac00d4bc586ba12

Download Submit
C:\Program Files (x86)\4d0277fb\jusched.exe

Filesize
196KB

MD5
919a367e8fe096f6dd5e480adbab89b4

SHA1
9a6cef832a7f5f4f46e568416a9e8e9a965674ef

SHA256
121b612a4a1e212bb67387ff39eb390f8e6e490a1c2f8ced099f3f32f0d62a49

SHA512
15090f093653fffa55baffba972f21b6b6a496da928394ad6a069368c23d0c8b9a87be54695bc2a8b82bf39b79a2db4d36592aca29e1a95ae4f3def7983e7a6a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads