fc0b7ccf36da717b2588b3661d0c2100b2c035346173161bc28b0d49646fc18b

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb4eb172ec53c655713f0d2fafd0903_JaffaCakes118.exe
Size

8KB
MD5

feb4eb172ec53c655713f0d2fafd0903
SHA1

d43af5ef0fe7bd6d1a282272efb8ad8e5477f476
SHA256

fc0b7ccf36da717b2588b3661d0c2100b2c035346173161bc28b0d49646fc18b
SHA512

962fc7a9203687bce7defa8a6a1642eb199719c8030fc0638722b0ec2d16234601e82388a989ac34a1506ff36a923a37f67487f54693d07aeb44774d3a2c4fdf
SSDEEP

192:d5ERMpv25+9IXzXYFaNJhLkwcud2DH9VwGfctlXO:mg25VDXsaNJawcudoD7Uy

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	feb4eb172ec53c655713f0d2fafd0903_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	b2e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4936-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4936-11-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feb4eb172ec53c655713f0d2fafd0903_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 1916	4936	feb4eb172ec53c655713f0d2fafd0903_JaffaCakes118.exe	82
PID 4936 wrote to memory of 1916	4936	feb4eb172ec53c655713f0d2fafd0903_JaffaCakes118.exe	82
PID 4936 wrote to memory of 1916	4936	feb4eb172ec53c655713f0d2fafd0903_JaffaCakes118.exe	82
PID 1916 wrote to memory of 3120	1916	b2e.exe	83
PID 1916 wrote to memory of 3120	1916	b2e.exe	83
PID 1916 wrote to memory of 3120	1916	b2e.exe	83

C:\Users\Admin\AppData\Local\Temp\feb4eb172ec53c655713f0d2fafd0903_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\feb4eb172ec53c655713f0d2fafd0903_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\6F06.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6F06.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\6F06.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\feb4eb172ec53c655713f0d2fafd0903_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\705D.tmp\batchfile.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F06.tmp\b2e.exe

Filesize
8KB

MD5
cc9b3dd95489ada846ec9466336836c8

SHA1
72ccfb533ab5505ac19f33ddd3347097e1f63a5d

SHA256
a596ebaa75ff3c6f4185c4e1b8756ad69a3e9146088803fb9cffb9bd28e0d415

SHA512
ba4a6173aaf9644020c6f6bb2bc5aefbd70e120dbb186416c4b9f2d121a1fe8550212ecac4f632509c1acded2cf8888c41353e56ef77decc5da96102cdf18d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\705D.tmp\batchfile.bat

Filesize
41B

MD5
06752ff7fc84f776efa4c4ef2d1d121d

SHA1
e52f4a4e33059a4bedbc459949645ce751fa1959

SHA256
b23d020816ada654d2969346e0c7c20e84607c94e0af9b09899cf5bb39a33c57

SHA512
6c338107baaad30fa7d0274a4000eddf2d6bba567cd78661a10d97b81954d93ffeb7f2eb88f65a7fe351924bbd0f96d567fdf17f92c260cb6b020b9949dc4bbb

Download Submit
memory/1916-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1916-16-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4936-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4936-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download