18216d83a83de5405a136f32d79d9906b85925271753984a5a824db6cb8283d6

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd600ef23834b3ceb20c1200b9ba94ba_JaffaCakes118.exe
Size

180KB
MD5

fd600ef23834b3ceb20c1200b9ba94ba
SHA1

60b68644c61210b7b53ce841478868ed8abda6d8
SHA256

18216d83a83de5405a136f32d79d9906b85925271753984a5a824db6cb8283d6
SHA512

796b920710e7c95d310bc453419665ad95ffa54c3e1675c2c191ace8368f3c8af934268661eb341f0d028849a56d717a83b5d428f095383bbb620e7349de7d2c
SSDEEP

3072://vGHqJLx6B/CRLdhHt5GWp1icKAArDZz4N9GhbkrNEk47K0qZy:nWqA/eRBp0yN90QE

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	stub.EXE

Executes dropped EXE 2 IoCs

pid	Process
1932	fia.exe
3896	stub.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd600ef23834b3ceb20c1200b9ba94ba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 1932	4944	fd600ef23834b3ceb20c1200b9ba94ba_JaffaCakes118.exe	82
PID 4944 wrote to memory of 1932	4944	fd600ef23834b3ceb20c1200b9ba94ba_JaffaCakes118.exe	82
PID 4944 wrote to memory of 3896	4944	fd600ef23834b3ceb20c1200b9ba94ba_JaffaCakes118.exe	83
PID 4944 wrote to memory of 3896	4944	fd600ef23834b3ceb20c1200b9ba94ba_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\fd600ef23834b3ceb20c1200b9ba94ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd600ef23834b3ceb20c1200b9ba94ba_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fia.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fia.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stub.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stub.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fia.exe

Filesize
18KB

MD5
8ac20ab22be723af1b2b69dc5f5c9f16

SHA1
e6724138692f50042e40a14c735d070e98fac0ea

SHA256
f948ed02a1dcac31f95ed2ce68fd424569965c330f04e865b8cc4c0d24b14350

SHA512
ca09297db98b81b85ae9f1813ffbb67e75848748c8d32873a316ab8c086131acdcafe1dda265edcf780e07fc9173c68c5b0c6a61855f0e5e410e3a68d351b8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stub.EXE

Filesize
17KB

MD5
ab40d0cbeccd167f369c3e5278ee5519

SHA1
f9bb18cf69f3c504192eed63cf234587d15436cd

SHA256
faee731c74715b6a3e948d8e5b553e7da5d8a9de161179030f30583ae1862f01

SHA512
9632454962fde1bf5b74d54a3c868ecba3975ef97a7ba14f3f1f447c5a1d8b8dc1a2c46e4406a075e3ad8a66cd550433c12c81a3d61bac6b6b7f0c2300943ea7

Download Submit
memory/1932-12-0x000000001BCE0000-0x000000001BD7C000-memory.dmp

Filesize
624KB

Download
memory/1932-9-0x00007FF8F25D0000-0x00007FF8F2F71000-memory.dmp

Filesize
9.6MB

Download
memory/1932-10-0x000000001B6F0000-0x000000001BBBE000-memory.dmp

Filesize
4.8MB

Download
memory/1932-11-0x00007FF8F25D0000-0x00007FF8F2F71000-memory.dmp

Filesize
9.6MB

Download
memory/1932-8-0x000000001B160000-0x000000001B206000-memory.dmp

Filesize
664KB

Download
memory/1932-13-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/1932-14-0x000000001BE40000-0x000000001BE8C000-memory.dmp

Filesize
304KB

Download
memory/1932-16-0x00007FF8F25D0000-0x00007FF8F2F71000-memory.dmp

Filesize
9.6MB

Download
memory/1932-17-0x00007FF8F25D0000-0x00007FF8F2F71000-memory.dmp

Filesize
9.6MB

Download
memory/1932-7-0x00007FF8F2885000-0x00007FF8F2886000-memory.dmp

Filesize
4KB

Download
memory/3896-21-0x00007FF8F2520000-0x00007FF8F2EC1000-memory.dmp

Filesize
9.6MB

Download
memory/3896-22-0x00007FF8F2520000-0x00007FF8F2EC1000-memory.dmp

Filesize
9.6MB

Download
memory/3896-24-0x00007FF8F2520000-0x00007FF8F2EC1000-memory.dmp

Filesize
9.6MB

Download