6f40091831015b3e1ab0a04022704a172f750f09c5234d4ac2ed7f3c876911c5

Analysis

max time kernel
137s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe
Size

154KB
MD5

fb9af2d0e4e66e5969b5ae6cdfd7590f
SHA1

708c2b799946a3296804c2175a27d8949720f030
SHA256

6f40091831015b3e1ab0a04022704a172f750f09c5234d4ac2ed7f3c876911c5
SHA512

4b87998a08c2a79d50d19eb22618880d8d2edae8ab186d55941cf2d9414f730dc9507b0ffc2c86a6f85f694082d387bc39d1a502406c20df2f10a3ce4142c388
SSDEEP

3072:gzNWMKKRZYchObK91C8sV6Xmoo4LEpYftNgDc1COGYZxHwQ7x:gZuuObR8sVImcyYftoc1COGYZ+Ex

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	Nashy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nashy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1916	Nashy.exe
1916	Nashy.exe
1916	Nashy.exe
1916	Nashy.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 512	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	84
PID 1548 wrote to memory of 512	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	84
PID 1548 wrote to memory of 512	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	84
PID 1548 wrote to memory of 3660	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	88
PID 1548 wrote to memory of 3660	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	88
PID 1548 wrote to memory of 3660	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	88
PID 1548 wrote to memory of 1564	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	92
PID 1548 wrote to memory of 1564	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	92
PID 1548 wrote to memory of 1564	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	92
PID 1548 wrote to memory of 2960	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	94
PID 1548 wrote to memory of 2960	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	94
PID 1548 wrote to memory of 2960	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	94
PID 1548 wrote to memory of 1916	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	96
PID 1548 wrote to memory of 1916	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	96
PID 1548 wrote to memory of 1916	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	96
PID 1548 wrote to memory of 4612	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	97
PID 1548 wrote to memory of 4612	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	97
PID 1548 wrote to memory of 4612	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	97
PID 1548 wrote to memory of 4512	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	98
PID 1548 wrote to memory of 4512	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	98
PID 1548 wrote to memory of 4512	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	98
PID 1548 wrote to memory of 2904	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	100
PID 1548 wrote to memory of 2904	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	100
PID 1548 wrote to memory of 2904	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	100
PID 1548 wrote to memory of 4236	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	101
PID 1548 wrote to memory of 4236	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	101
PID 1548 wrote to memory of 4236	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	101
PID 1548 wrote to memory of 1188	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	102
PID 1548 wrote to memory of 1188	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	102
PID 1548 wrote to memory of 1188	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	102
PID 1916 wrote to memory of 3460	1916	Nashy.exe	56
PID 1916 wrote to memory of 3460	1916	Nashy.exe	56
PID 1916 wrote to memory of 3460	1916	Nashy.exe	56
PID 1916 wrote to memory of 3460	1916	Nashy.exe	56
PID 1548 wrote to memory of 1300	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	105
PID 1548 wrote to memory of 1300	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	105
PID 1548 wrote to memory of 1300	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	105
PID 1548 wrote to memory of 2912	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	106
PID 1548 wrote to memory of 2912	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	106
PID 1548 wrote to memory of 2912	1548	fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe	106

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fb9af2d0e4e66e5969b5ae6cdfd7590f_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:512
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe-up.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3660
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe-up.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Documents and Settings\Administrator\My Documents\My Music\Nashy.exe
    "C:\Documents and Settings\Administrator\My Documents\My Music\Nashy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1916
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe-up.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4512
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe-up.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4236
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe-up.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1300
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe-up.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe-up.txt

Filesize
40KB

MD5
da587e8d76968c0060a98e688d1faf9a

SHA1
2c18f1a568f1ab93355aade6949f84dbee6116ad

SHA256
12f231be178db83b3cffb71f5d0a8cf42a10820c7c1b8a4cf67015bd2df4b824

SHA512
67845553e3eb729ca40723e37569cd6d763348eba0ac75b8bf681a226308e59dfa04e7c37fb6fbe40a2db5397fb4684b8a81f9245d7a2fa2b5b002137db3962a

Download Submit
C:\Documents and Settings\Administrator\My Documents\My Music\Nash1.exe.txt

Filesize
899B

MD5
948820f63ca0edd7664dff6d91396407

SHA1
ffb954b22563c368972c2f5bb2b7b09def1b1ed0

SHA256
2be781cc3a9661752172fb23e2136c6c6c2519234f0c34e0dc92d1a487b765bb

SHA512
8ba7fd2cba00f313b2b38f8b31da1e22e6d61d6a2ff49c372313778dfc7f320af10cf09e7b45006bfdfd4b626dc10d7a0af82cc3b31fe2ebcbf411762f1ad052

Download Submit
C:\Users\Administrator\My Documents\My Music\Nashy.exe

Filesize
55KB

MD5
9c859d1f632406af06a90e2b305f4e57

SHA1
30eab1902100b6bc187494f6088d6c08cd9503b7

SHA256
c04115b07ce52804d2690e8dd9c70dde46f066e4b6e9c9f97bdb32dc10b7cd69

SHA512
1ae781d24bb9133cd98cb2b3f88126fa40535700cb6832cd1fd8547ee0d145eba3148821f81201e46faf8d635645968d29015d6c47aa1d1655da5d48cb404d41

Download Submit
memory/1548-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1548-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1916-17-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3460-19-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3460-20-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download