7fa99c0f3a44507db19afb5aa01e4266bf8816a78556aea646d219bcb1c30111

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcb36bfa87b7f3d87e8bfa777ea0e555_JaffaCakes118.exe
Size

801KB
MD5

fcb36bfa87b7f3d87e8bfa777ea0e555
SHA1

60989b044db58cec465e51298e5a6eb67707a425
SHA256

7fa99c0f3a44507db19afb5aa01e4266bf8816a78556aea646d219bcb1c30111
SHA512

79b7d2251df3419fdf72c6de2b5873cc7bf49d2d194f9c249da8eb9cfb96d8ae8c3d90cab8b0e04041b38f8d181312e8eb4784ec474c07d828021590f4031d27
SSDEEP

12288:oN2W+8ov0FbuMqHbZ1v5iJmOhm6g5A69OM9xXOyUXT6EfmBp/xSvZdl:++ZcFbjeZ1hiJmOh5gSxM9xcXTdYp6n

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	fcb36bfa87b7f3d87e8bfa777ea0e555_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	fcb36bfa87b7f3d87e8bfa777ea0e555_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4180	4628	fcb36bfa87b7f3d87e8bfa777ea0e555_JaffaCakes118.exe	100
PID 4628 wrote to memory of 4180	4628	fcb36bfa87b7f3d87e8bfa777ea0e555_JaffaCakes118.exe	100

C:\Users\Admin\AppData\Local\Temp\fcb36bfa87b7f3d87e8bfa777ea0e555_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcb36bfa87b7f3d87e8bfa777ea0e555_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\fcb36bfa87b7f3d87e8bfa777ea0e555_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fcb36bfa87b7f3d87e8bfa777ea0e555_JaffaCakes118.exe" 1
  2⤵
  PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\fcb36bfa87b7f3d87e8bfa777ea0e555_JaffaCakes118.exe.log

Filesize
492B

MD5
18b1d790d7b4a51c7aedd093410a2813

SHA1
9a7869c58c3d75e9ad3c88c0f2a0818db1d0c092

SHA256
8ffd8bbdb34b3a4e8c6e31d88da68d835150b3f9ee3444e4068c84fa17786a5c

SHA512
b3ca695498dd83d82482ae6ab7a00bc98434980f2049a7a161252cff6a247b9f7b95141c617a8e101786ee19a578d07a260fe6d0861213766c7ef15fcd443cbb

Download Submit
memory/4180-9-0x00007FFFB8D00000-0x00007FFFB96A1000-memory.dmp

Filesize
9.6MB

Download
memory/4180-11-0x00007FFFB8D00000-0x00007FFFB96A1000-memory.dmp

Filesize
9.6MB

Download
memory/4180-12-0x00007FFFB8D00000-0x00007FFFB96A1000-memory.dmp

Filesize
9.6MB

Download
memory/4628-0-0x00007FFFB8FB5000-0x00007FFFB8FB6000-memory.dmp

Filesize
4KB

Download
memory/4628-1-0x00007FFFB8D00000-0x00007FFFB96A1000-memory.dmp

Filesize
9.6MB

Download
memory/4628-2-0x00007FFFB8D00000-0x00007FFFB96A1000-memory.dmp

Filesize
9.6MB

Download
memory/4628-3-0x000000001C0F0000-0x000000001C5BE000-memory.dmp

Filesize
4.8MB

Download
memory/4628-4-0x00007FFFB8FB5000-0x00007FFFB8FB6000-memory.dmp

Filesize
4KB

Download
memory/4628-5-0x00007FFFB8D00000-0x00007FFFB96A1000-memory.dmp

Filesize
9.6MB

Download
memory/4628-6-0x00000000014D0000-0x000000000156C000-memory.dmp

Filesize
624KB

Download
memory/4628-10-0x00007FFFB8D00000-0x00007FFFB96A1000-memory.dmp

Filesize
9.6MB

Download