353e4eff3a157ce281bc3452acfbe75c2f4b84fae99dbf1258276eb9b8db23c7

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe
Size

779KB
MD5

f56b31f240d9d8aa4c1d8adfef5e5c34
SHA1

a03dc638162ac72d716fd6463f9f4f0ad69e11be
SHA256

353e4eff3a157ce281bc3452acfbe75c2f4b84fae99dbf1258276eb9b8db23c7
SHA512

8acb3b7e41d7f58183429229a7216c0c8fe0b1d58f3c200caaecc4e740855e54ec8cd947afe38dd71b20e528b7d11d6e46c03d519c6e886009c51cfd475ca8e4
SSDEEP

24576:vteurdvnsolYQpuMX14GZdvfAe8xDDgHB5LcmrKBz:vVVsJQd1V4N9DY5LO

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3612	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3612	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe
3612	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3612	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe
3612	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe
3612	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3612	2080	f56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe	89
PID 2080 wrote to memory of 3612	2080	f56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe	89
PID 2080 wrote to memory of 3612	2080	f56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe	89
PID 3612 wrote to memory of 4860	3612	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe	92
PID 3612 wrote to memory of 4860	3612	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe	92
PID 3612 wrote to memory of 4860	3612	internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\f56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\nso4EE8.tmp\internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nso4EE8.tmp\internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nso4EE8.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/f56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nso4EE8.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4704.bat" "C:\Users\Admin\AppData\Local\Temp\56D9AD4AF2E3466EA947D3675AA494A7\""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3852,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\$IKLKHK4

Filesize
96B

MD5
21e14009c2ad4399375979b77b70c05d

SHA1
faec2d9625426356f6586eb4f493626f93c3ab81

SHA256
72d91535d91270e30dd65b9452e52031c50bc4e78c68143afdacfcfaa03dd40b

SHA512
4576772e9e79bea45680bc350eec9d996bc64834587ec8b162c121938c6af4d6b51832830fe584a145632192b9fd6718ca31dd9604f7b66cbce76464cc3d1ed0

Download Submit
C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\$IZHTQ8M

Filesize
96B

MD5
27d6d9d4b784b4285310013c8636a644

SHA1
bc0c489b7bc09766a1f377ba9c0c7dbd7e199121

SHA256
2dca93d0f602ab043c855e0f4ed84cd2c99acd43ebd3aef2a64f023286df3ac7

SHA512
fd3fd2096f1d4d1712f94417384c70fa7acde26f1389e6437cd703eb51b1a391455c65f2ef64715033e193217693036f5deff0877b662a5b552a1d5fe1a53a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\4704.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\56D9AD4AF2E3466EA947D3675AA494A7\56D9AD4AF2E3466EA947D3675AA494A7_LogFile.txt

Filesize
2KB

MD5
704459047f170b74a9990101b868cb55

SHA1
94e85292a1f76ee0409a6fb7e5fa56cbdf53c6d9

SHA256
ffe104a970e4741901c203dd9bb3e14c6086945905d60745689645a653839d5c

SHA512
0a543283d56beba0fd5422ec8b4d54ddfd4d96b55d112ed31f8b5e0e80c31ee4b95d5a84d2c2c2851e3810101ecd8da936e5b0a5ce79c2ebe940a1b8373b71fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\56D9AD4AF2E3466EA947D3675AA494A7\56D9AD4AF2E3466EA947D3675AA494A7_LogFile.txt

Filesize
3KB

MD5
22be0a5af3be3847a46a44e79e77088e

SHA1
69311823201f1941e7b162fe9feeb16efab3cc37

SHA256
f089c8d05a371c48d35720fb2a624f597e542cfd20c0e1e712e7d38135125dd2

SHA512
88e3378a6a9bdd61d5a2944eb06ec701285f3dcd45f206b4363ac358f1d8cfd2f74c26fedab89469aa12f462d0aaf91f5ba5f64e277c209623b554dfae720b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\56D9AD4AF2E3466EA947D3675AA494A7\56D9AD4AF2E3466EA947D3675AA494A7_LogFile.txt

Filesize
4KB

MD5
1f7316a95bb73465df85f5fb4be9ee6d

SHA1
b799df5f4baee051f44c9daa3c1d61b1ef3a099d

SHA256
7f8240c80f999dfe7a7e8bbba85233ed0200aef363a07df5e69f5a6a327f9dc7

SHA512
2ae98625e0679082d6918493d3cbe53401aac43a7abedaac9812832fd5347375e49fcb159a47067b4000898586e3fbd50df5db5c1e23001c4e801353db388be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\56D9AD4AF2E3466EA947D3675AA494A7\56D9AD4AF2E3466EA947D3675AA494A7_LogFile.txt

Filesize
1KB

MD5
0623567435e4d87209efe2ef7c327458

SHA1
6ea76d98be86af85e4a95e02bf6bbc396e0e12b5

SHA256
4b0d1e0e64ed4c5a58f055d8c99b189d2a1b2d930838db2d892a6b372c0e3ed6

SHA512
f42420955ecca81fd5b6c62bc2d53babcb49bde9078d090ab7a80f5ecf066925368e63c7cc0964714436206a832a64368d430af83cec12c6db286d816ea062fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\56D9AD4AF2E3466EA947D3675AA494A7\56D9AD~1.TXT

Filesize
31KB

MD5
9b9e0039bbc99ddbabbbb3a40f14f85a

SHA1
d9ee60f8850c3cff5567d2723a68345ee1372217

SHA256
2aff0fa4f4db5bbe17fbbc03da396bbaac2c87f3188660450b897dcafa886d9b

SHA512
c7a30dfa9fcde0d049598946cb6be1ac90601ae7d8910ade7c19ab613e2fd7818ed27e62e8ab0b10c693cd0e39133ee21084a943aba546e6743ad936c9890fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4EE8.tmp\internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118.exe

Filesize
1.7MB

MD5
c4ca24ec91ced69fc98fac6fba21dc88

SHA1
b84f3a1ceef89673e31e0be210eb33d865d60659

SHA256
c690bea2115b2a16e23c845785772d14fdb978d32cb22bbbce83f53673eda821

SHA512
5783d1b8599d472039e9afca35590f76fe8930c73af4fa35fb796e819ca6d7219bd7ba1a0a6bcf3e8d76e9d873a078d74857a2318f8bbc3eca34c051a9ca4d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4EE8.tmp\internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118_icon.ico

Filesize
17KB

MD5
f0b938585d688a56c81a92e16cfcd2fa

SHA1
881e13bfe686092d4ab913698c54a0eca97e8f95

SHA256
f4150b295a647b311d6a63fe7aa39aba115c157050808b0eae149137c4dee316

SHA512
af7b2efde139798c118a34d0ec53475d79048ed966473cb18a64d552c9871411deda6de1e5abdadeec6b71f35099f013265fe3d51490adc55f51166bab8a2973

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4EE8.tmp\internalf56b31f240d9d8aa4c1d8adfef5e5c34_JaffaCakes118_splash.png

Filesize
101KB

MD5
3cb90093892c6fb84a6b16345eec874f

SHA1
ed0f3e9caa22b01d65fa281f539b9a37f82fec3e

SHA256
cbf9cfa4d65f5988c336144ce0d8cba1187cddcecb5b623358c5b95f5d11f674

SHA512
2c0a95c768ab35edd6edc78f01247474bccee0b234a92d793c3b04f160abc3ecd833b0c99065b7619f8e2dcc2dfea540d222c4da66d6030c9d547a91799ae605

Download Submit
memory/2080-290-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3612-71-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download