670c6a1acf459f744e8fad284c89ed36f0da2797a7f4a53956200a38cd37c343

Analysis

max time kernel
140s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe
Size

171KB
MD5

fa3fb045e0e65395f4b710b2e7dd5ec0
SHA1

110141089687f1f751d1f721ae4839f8298ccb59
SHA256

670c6a1acf459f744e8fad284c89ed36f0da2797a7f4a53956200a38cd37c343
SHA512

7f5eb5b40a5aaf2b9d84351af73a06d7d7146421bbae099838d09da28db807a00870112a0841b94a26f4c2bc1614051b4db2416db94235faa36973cdc2e6d16c
SSDEEP

3072:SwjmK0lZmJEs4aBXMvkK7eyKIMZu7DMnx1pqCSozKn1WJWmowqV3k7FS:SbN5s4ameyrMZufAjJSozK1WvowqL

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4840	keygen.exe
2860	tish.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tish.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4840	3528	fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe	81
PID 3528 wrote to memory of 4840	3528	fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe	81
PID 3528 wrote to memory of 4840	3528	fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe	81
PID 3528 wrote to memory of 2860	3528	fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe	83
PID 3528 wrote to memory of 2860	3528	fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe	83
PID 3528 wrote to memory of 2860	3528	fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\keygen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4840
- C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\tish.exe
  "C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\tish.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\keygen.exe

Filesize
136KB

MD5
279829ae83560628c0c9f58ac87541b6

SHA1
2eb1ad73b7480c92f3fefde5fb229cd0b86409c1

SHA256
83c21cf3199544f9e88a2180af134e7315dec7d6aa8227c0c08ea1c727807411

SHA512
9293d4e3691ead3fa3b1bccf0d816ae8a437c306c1e8ee6eaf9d41da7ad6bb2968340490ab2d7b9517dfc4ec7543ee1b14bdcf7ee6f843e13f0e3686a9608ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
memory/2860-23-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4840-8-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4840-10-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/4840-11-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4840-24-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4840-26-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download