bf4b78748aa67793bad567b0d7238be0139eba79871373a37028f8099d3b16d3

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
Size

35KB
MD5

180e3475e399ac18b0086cca4fea386c
SHA1

a1e46d0950fe20d3355fbeb30ccedf26cfafd701
SHA256

bf4b78748aa67793bad567b0d7238be0139eba79871373a37028f8099d3b16d3
SHA512

38dd4d72fdacb1fb1ad1308043e7cc58fb6974d0a70170b2d8330593e961e0201019846e802cf6096eef99add029f212e79645db18add9c8c9139aa18663eff0
SSDEEP

768:yKgphok5Fvwh62at6oBG8F7mlXPw4AwySaEtVvwIioyPyYebfC:yKMfwM2a68F78Pw4ASDVIIpyaxfC

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program files\MSDN\000000001	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
File opened for modification	C:\Program files\MSDN\000000001	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
File created	C:\Program files\MSDN\hehex.sys	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
File created	C:\Program files\MSDN\LHL13.sys	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
Token: SeDebugPrivilege	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
Token: SeDebugPrivilege	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 2360	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	82
PID 1492 wrote to memory of 2360	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	82
PID 1492 wrote to memory of 2360	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	82
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56
PID 1492 wrote to memory of 3416	1492	180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\180e3475e399ac18b0086cca4fea386c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c time 12:18:00
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSDN\000000001

Filesize
8KB

MD5
327180ab30a351dedc9deb86fe0381a8

SHA1
708ae23f36a1b1469e9f6cc69ae09253db07aa30

SHA256
7958903eea08465af3a3f5b039c33bf3a5f9562432a278780fe992642801837a

SHA512
f14580d4b1be71c1d1e1c870645971d6355527d5b98e4198f255c31d23d0517479afcfc1e2378e7541774e91bf582da0319d4963c105f01c3ae8c91da57a9cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.bat

Filesize
216B

MD5
b7f84f1ea905d1b9f193bb9af26da129

SHA1
8eda687bfc8ecc47e5a9bcd39dc4ed43f8f3556b

SHA256
0e049d965dfa6574278c44ef2db45edef1059c63c0c11185d526a1e24c8003e0

SHA512
b4a1ea26a24b7b761770c283b95373ada5947e93d3587f9d0d258e46a9796f89d6d57370c6fae204dfbfd6320d9871efd30505132228b32bf0c8b77051667826

Download Submit
memory/1492-1-0x00000000021D0000-0x00000000021D5000-memory.dmp

Filesize
20KB

Download
memory/1492-2-0x00000000021D0000-0x00000000021D5000-memory.dmp

Filesize
20KB

Download