916d053a380731b979197e1b0663f85c1c097d722377721b1ee6de114aab573d

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6a92e7fb686718b428bc3e7a8e38e4a_JaffaCakes118.exe
Size

270KB
MD5

f6a92e7fb686718b428bc3e7a8e38e4a
SHA1

07b6e64f4408244eb3c0dcfdb6ac029f8eebd481
SHA256

916d053a380731b979197e1b0663f85c1c097d722377721b1ee6de114aab573d
SHA512

92356720778bc4eafd3d2015981d0a941bed3e69169603ce0a7f8c68c60135a2a0159622fb0f209b9aab9d9f10217612fd27b48f62045d8aae726ea9073177f9
SSDEEP

6144:s24RNw9jjJmlRXPdC7B6lEHenVJhNk9ewtf2/rQQjrM:s24kgd0BCnVJVwt60QjrM

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	f6a92e7fb686718b428bc3e7a8e38e4a_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3832	34430.exe

Loads dropped DLL 5 IoCs

pid	Process
3832	34430.exe
3832	34430.exe
3832	34430.exe
3832	34430.exe
3832	34430.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.ocx	34430.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34430.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3832	34430.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 3832	2052	f6a92e7fb686718b428bc3e7a8e38e4a_JaffaCakes118.exe	82
PID 2052 wrote to memory of 3832	2052	f6a92e7fb686718b428bc3e7a8e38e4a_JaffaCakes118.exe	82
PID 2052 wrote to memory of 3832	2052	f6a92e7fb686718b428bc3e7a8e38e4a_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\f6a92e7fb686718b428bc3e7a8e38e4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6a92e7fb686718b428bc3e7a8e38e4a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\34430.exe
  "C:\Users\Admin\AppData\Local\Temp\34430.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\34430.exe

Filesize
240KB

MD5
5417a3ae9a8a6e8dda3a70be77d69f87

SHA1
f44d3b5fac078ba539090d60f9662987e4e129d4

SHA256
0c959a2e8e094eee6ff9973f375d5a4c13144ed565cc95d5dacb30494b209eb1

SHA512
dfb04b1a06b88b60560e9bb18ecc5accf1d5079810b7578db804ae846d5a984fca0ff5b3f70d6240603171766154c1e20e6addd46e71caece4af296ce3ce1912

Download Submit
C:\Windows\SysWOW64\MSWINSCK.ocx

Filesize
124KB

MD5
45631bce4e64a6d5ebd41d6a35df9a38

SHA1
f415216b0f78c4ffaad264a7efed544ee549b0bf

SHA256
402f3eda89d2157d1d2dbe8ed689a0c450e66cd75fd1b595baa4bfc8972966a3

SHA512
f1472d9957159788a4fb2f97678ed26d611c72f7c4e9445db2be22a412dab0dfb915c7a72efd3b14506ce4983f9ec4ff17f74e8073adc4359a3fa37bf33dc4b6

Download Submit
memory/2052-0-0x00007FFEADBF5000-0x00007FFEADBF6000-memory.dmp

Filesize
4KB

Download
memory/2052-1-0x000000001B730000-0x000000001B7D6000-memory.dmp

Filesize
664KB

Download
memory/2052-2-0x00007FFEAD940000-0x00007FFEAE2E1000-memory.dmp

Filesize
9.6MB

Download
memory/2052-3-0x000000001BD00000-0x000000001C1CE000-memory.dmp

Filesize
4.8MB

Download
memory/2052-4-0x000000001C330000-0x000000001C3CC000-memory.dmp

Filesize
624KB

Download
memory/2052-5-0x00007FFEAD940000-0x00007FFEAE2E1000-memory.dmp

Filesize
9.6MB

Download
memory/2052-6-0x000000001B820000-0x000000001B828000-memory.dmp

Filesize
32KB

Download
memory/2052-7-0x000000001C490000-0x000000001C4DC000-memory.dmp

Filesize
304KB

Download
memory/2052-8-0x00007FFEAD940000-0x00007FFEAE2E1000-memory.dmp

Filesize
9.6MB

Download
memory/2052-48-0x00007FFEAD940000-0x00007FFEAE2E1000-memory.dmp

Filesize
9.6MB

Download