cf581048fdd586f6f3a18444e17b1ce8c145651a3c78f0b6a945c1c4977a732d

Analysis

max time kernel
126s
max time network
128s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26236688c2dc44d5650bbed5e31d2631_JaffaCakes118.exe
Size

55KB
MD5

26236688c2dc44d5650bbed5e31d2631
SHA1

5d70df11e2bac7c229d7c41547b3b88c2b90f24a
SHA256

cf581048fdd586f6f3a18444e17b1ce8c145651a3c78f0b6a945c1c4977a732d
SHA512

68acac5190b35db4f656de3f815762313ce374ee54cf6be7dcd2a14a82a2135f796e83d60a96c8e03d1469e844ee907a5e3f2c208c27f9d04cbb672e551ee982
SSDEEP

768:BkfPArKcTw+lqvdu/c+7BLbC4kzSk+WdXpfmjxrvHREtvH2MMLpq:BIE/wZvdGc+tPC4kzx+CqxDHIz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	26236688c2dc44d5650bbed5e31d2631_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26236688c2dc44d5650bbed5e31d2631_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1680	26236688c2dc44d5650bbed5e31d2631_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\26236688c2dc44d5650bbed5e31d2631_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26236688c2dc44d5650bbed5e31d2631_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\showthread[1].htm

Filesize
1KB

MD5
37e48bab25eb73fad50567c1b4932edd

SHA1
4b26a8ad91d4f94a38886f8b0d60793301f77133

SHA256
9a7542fbcf0a06197ee44c851b28fab213f08f15bb86bfd9653a874ce46c85c2

SHA512
3213d35f9ef884920ec08914b767b125f9c05f08c9c5591d0eccaa45121cf349bd23badd631455e9574cf03f0108a65294d2e5ea4e6f4bbaa7524e733781ca71

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\plugs\mmc199.exe

Filesize
1KB

MD5
f242ab1198d7ac959e0c651d7117472e

SHA1
50875943350f99eeb01501261d476ba67fa0e293

SHA256
b8673d414425e0e867434960b9a6252442c17bcccb6bbe57393ceeddf286254e

SHA512
705ba5f9ede97b07fc0a1516e574da5dd2df930ebbbf834887148269e723d942b3a8e04457d429260c9a27c38378fea46df11c5c1f63ade8b5f4a9550c55378c

Download Submit
memory/1680-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1680-0-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/1680-2-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1680-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1680-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download