613fb641387a5d9e100f5638befd3a70946862096200235ac5aa3cb2b33f0eb7

Analysis

max time kernel
144s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd08beac7e3faa956b4df751c7f105eb_JaffaCakes118.exe
Size

4.8MB
MD5

fd08beac7e3faa956b4df751c7f105eb
SHA1

049ded2f19c6688f46249d08df2cf76b3f7ce2f5
SHA256

613fb641387a5d9e100f5638befd3a70946862096200235ac5aa3cb2b33f0eb7
SHA512

4bf0966c8bf47a2cf0052d813ef60d0f54f61681f6f95cacceb381dbb69fc020f11e95253b39161d8c46759a750a1dfbb23734c77ff128d6eb94c04c0b85b0e8
SSDEEP

98304:OztTe5lF8mqx8aDEJrSXYfZOri5fshVzCYr7FpalaDK3XibQ:OkCzxl+fBMFCu4aDKHi0

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	install.exe

Executes dropped EXE 3 IoCs

pid	Process
1464	install.exe
4964	isass.exe
464	iw4mp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd08beac7e3faa956b4df751c7f105eb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iw4mp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1464	install.exe
1464	install.exe
4964	isass.exe
4964	isass.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1464	2892	fd08beac7e3faa956b4df751c7f105eb_JaffaCakes118.exe	84
PID 2892 wrote to memory of 1464	2892	fd08beac7e3faa956b4df751c7f105eb_JaffaCakes118.exe	84
PID 2892 wrote to memory of 1464	2892	fd08beac7e3faa956b4df751c7f105eb_JaffaCakes118.exe	84
PID 1464 wrote to memory of 4964	1464	install.exe	85
PID 1464 wrote to memory of 4964	1464	install.exe	85
PID 1464 wrote to memory of 4964	1464	install.exe	85
PID 1464 wrote to memory of 464	1464	install.exe	86
PID 1464 wrote to memory of 464	1464	install.exe	86
PID 1464 wrote to memory of 464	1464	install.exe	86

C:\Users\Admin\AppData\Local\Temp\fd08beac7e3faa956b4df751c7f105eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd08beac7e3faa956b4df751c7f105eb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\install.exe
  C:\Users\Admin\AppData\Local\Temp\install.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\isass.exe
    "C:\Users\Admin\AppData\Local\isass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4964
- - C:\Users\Admin\AppData\Local\iw4mp.exe
    "C:\Users\Admin\AppData\Local\iw4mp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
4.4MB

MD5
8af8fbe11be6ea25676701425eddf522

SHA1
9cf2a7298c0602ef4314f85e39fed4a222a89810

SHA256
b0d5878a3a8954e873faf16426392cdff5ae524808e4880a7a5b4dcea370fafb

SHA512
ef2ac810643d7157454b9a1efc4e430150e162046f968cf1a100142d97d3e9742c50c429b22871f0b84cad00434a43a01a281e8f1ae716558898a7282a69d9c4

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
283KB

MD5
c8a296656434d12f38f81c20658aa22a

SHA1
b0accb247a0240fe013ad4553ae82aa611141093

SHA256
4bf10309a01a8227850e41738adcf2e0386e735949d47a97ace5c1f48f73ef78

SHA512
464dee2beb48f825a1e95be24edf29b94055bdb2c994ad934205a073ad30758fb4e5d3e923466dc734c34ffad15d1a3d05b407c0a82d2fa946026967b24598ea

Download Submit
C:\Users\Admin\AppData\Local\iw4mp.exe

Filesize
3.7MB

MD5
d8c4f914800f17b42292a87b20ce5087

SHA1
c642ed37f9333ea703d1303e0e5f4bf1c6419d3e

SHA256
d381ec1b63ba6c2123e0d54d694e7b20726e1e65c966eb766cc517eb4b925484

SHA512
d8f93f31cd91148aa13eac8f5d71e9b102c954d952a0cbe8f4839f89299a63ac450f2bb888debcbfded21e74c2a9649dc2c4e736d99e2ab122cf26adb2bb9ae8

Download Submit
memory/1464-23-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2892-0-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2892-6-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/4964-24-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download