fa7c01f3963cf5a30f8b5365102bc3ca4753414404ffd34df5ff5f66d50dfe83

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3abc202908089cd060934907b3fe7141_JaffaCakes118.exe
Size

28KB
MD5

3abc202908089cd060934907b3fe7141
SHA1

b7764c1ac7cbe9dfd66207fd4c0023d7d98155b8
SHA256

fa7c01f3963cf5a30f8b5365102bc3ca4753414404ffd34df5ff5f66d50dfe83
SHA512

de3f33b7b1508d00050e7ff6e43a2049466f1bcad71856bf22462d67e7665a7f61f51bb0fca6431d82bf1f3ef366e0fb2067055750e648ba47a42f1e9550e15c
SSDEEP

384:OG4TebV6dbuoh1kX681FN6BAZAHh6yCqXKKsqHx7Z8:Ieb0brB81FQ/Hh6kr8

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	3abc202908089cd060934907b3fe7141_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	quip.exe

Executes dropped EXE 1 IoCs

pid	Process
3976	quip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3abc202908089cd060934907b3fe7141_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quip.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3976	5108	3abc202908089cd060934907b3fe7141_JaffaCakes118.exe	84
PID 5108 wrote to memory of 3976	5108	3abc202908089cd060934907b3fe7141_JaffaCakes118.exe	84
PID 5108 wrote to memory of 3976	5108	3abc202908089cd060934907b3fe7141_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\3abc202908089cd060934907b3fe7141_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3abc202908089cd060934907b3fe7141_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\quip.exe
  "C:\Users\Admin\AppData\Local\Temp\quip.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\quip.exe

Filesize
28KB

MD5
f64c1ac3112aa338772bd1ea181ba335

SHA1
6618ec85d83a70ec81f8d590b09f2977dedb30bd

SHA256
ba9cd0ccdd9c1bfd82803e2aba5b4f8839565835456292e975804fba789483dd

SHA512
c3952c90f64da13be927c924346efd9bba7f97552bd9271e33fb27cd71e1be2b594fb3df5bce7c766c16614765b45bf2342c9201db2b8a6cf71c99dcef8e1c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\wipet.exe

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
memory/3976-8-0x0000000000480000-0x0000000000487000-memory.dmp

Filesize
28KB

Download
memory/3976-28-0x0000000000480000-0x0000000000487000-memory.dmp

Filesize
28KB

Download
memory/5108-0-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download
memory/5108-10-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download