2e6720122888bbca4d7d9a52e2ff6576a1cd0b228e1e28bb2af95445cfaf48f4

Analysis

max time kernel
140s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe
Size

3.3MB
MD5

fd0269ca5f7b66eeb24bf3626e6cd738
SHA1

8d170f2efbd12612f020f2580058f156f673b874
SHA256

2e6720122888bbca4d7d9a52e2ff6576a1cd0b228e1e28bb2af95445cfaf48f4
SHA512

627349700d65a1d7c9d0510b2d23144695cf963016e3f9e791e3ad5160d6976f3f6c903f16f34c6f3b9bc1ef11f3792179d7b7dc65de01b1fbed76f4ff3992c3
SSDEEP

49152:Czsy4VsUGTzLUvmqEFKSmCIo5qOC8Ro4SdK5z9rGOT6ixTgFdT+6+jkgNoYs2imF:nzGTzLUOKw21Cz9rGC6ixk+Ljkp17

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4484	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
4484	svchost.exe
4484	svchost.exe
4484	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4836	4484	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4484	4492	fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe	82
PID 4492 wrote to memory of 4484	4492	fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe	82
PID 4492 wrote to memory of 4484	4492	fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd0269ca5f7b66eeb24bf3626e6cd738_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492
- C:\svchost.exe
  "C:\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 2216
    3⤵
    - Program crash
    PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4484 -ip 4484
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp53DD.Exe

Filesize
96KB

MD5
16ea8b59f4ba4f5a61fe1b8cd6050c94

SHA1
d1b6f248a30595b05110c5b693d2c9a6a494c9cf

SHA256
531c7fe97c6825b0aa2298fda4d4da836cc4e6028a423b05c55bb6b3669aae5c

SHA512
5fb879e60a91743e6f58ee565dfe909a576bd4ea9061ee816746283086ea5df6f2a6bfb5178a99555b73fc86b50c6104bce79c5beec97eef1e7e23cd96c7ccd6

Download Submit
C:\svchost.exe

Filesize
3.1MB

MD5
029198ad184b5316c5f294817cc41011

SHA1
4aa0d4bf45b91d7773ae6446e6b9eb54348dbe1a

SHA256
354856d93fc3b5b6a8cf2a7f9ae99073797805033588ff7c4ed8495adc317b92

SHA512
bc5634128a0b1c6383ca2fba120a14507553dc184d9fb51cd4de8db02e50199b394bcc1cf6bf2309c1f0d241c52a247c0c86d1f814de0432099d1bd3b4ecd7df

Download Submit
C:\ts.dll

Filesize
3KB

MD5
ab62f36cc469c34fd1b86ebf3eb19aa3

SHA1
2a70b2793949c3aabbde738c60ece2c52b3f9445

SHA256
67d34ac4df536192e5529b1f98547180f225ef83ca810d087c8f0324324edfa7

SHA512
35f84161062f1d7cabbf069e2638819168da2993432566d1b369ed0fca82cafe884ea560fada129b6c4d629ef61bfbff2368d54c8dccd75416e65671e30733ee

Download Submit
memory/4484-35-0x0000000001031000-0x0000000001032000-memory.dmp

Filesize
4KB

Download
memory/4484-34-0x0000000001030000-0x0000000001033000-memory.dmp

Filesize
12KB

Download
memory/4484-33-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/4484-48-0x0000000001030000-0x0000000001033000-memory.dmp

Filesize
12KB

Download
memory/4484-49-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/4492-50-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download