d9d6b5299bb5bf821deaea40fba639633c5831a6e4e4186b8a8542f9149004f0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61220c9c5a7d4461b6b97dbfd91baa8e_JaffaCakes118.exe
Size

1.5MB
MD5

61220c9c5a7d4461b6b97dbfd91baa8e
SHA1

bd3a999511801f29b6a36cf805708df9ab483909
SHA256

d9d6b5299bb5bf821deaea40fba639633c5831a6e4e4186b8a8542f9149004f0
SHA512

891cac3acc66b5835e4392b4944d039dd0b9c4f5501fc7c0cc2c6fe7d135f932bed9a91d3fac30f5855343e55e26a820b8328f64bb97683ff0ddc87456b65da5
SSDEEP

24576:saHMv6CorjqnyC8xlD9bjB39g4QkrUrPtyqS:s1vqjdC8PD9bjB39tQXP4qS

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	61220c9c5a7d4461b6b97dbfd91baa8e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	uncrypted.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4456-0-0x0000000000400000-0x00000000004D3000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1684	1984	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61220c9c5a7d4461b6b97dbfd91baa8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uncrypted.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 1984	4456	61220c9c5a7d4461b6b97dbfd91baa8e_JaffaCakes118.exe	84
PID 4456 wrote to memory of 1984	4456	61220c9c5a7d4461b6b97dbfd91baa8e_JaffaCakes118.exe	84
PID 4456 wrote to memory of 1984	4456	61220c9c5a7d4461b6b97dbfd91baa8e_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\61220c9c5a7d4461b6b97dbfd91baa8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61220c9c5a7d4461b6b97dbfd91baa8e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\uncrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 272
    3⤵
    - Program crash
    PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1984 -ip 1984
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut9990.tmp

Filesize
806KB

MD5
676cf7133359d0a68086174655cded20

SHA1
38f2a19ab6b80c18f0c16c38744fc9d2436b2c5c

SHA256
6676e0f8d1289a981849f912cff81f05ba27dffe1e0877f8a9eb689662f43b05

SHA512
c02117cf42a3f296a0d31c7f4cbe5a20a350c0e978bb3f4bc320f61d087d10618e22fa14d70c7fbf925e2937c3622bde9fd95a497e9ebbace49d2c535ee02831

Download Submit
C:\Users\Admin\AppData\Local\Temp\uncrypted.exe

Filesize
806KB

MD5
4e20d20b85b66165651b8372e44114a9

SHA1
5717df171be5b6bc4fa635c392e9a49c46b09490

SHA256
fcb21d924b5ab6f9524c839cd27a3928a036e8dfecaaf943301b20d913927b6a

SHA512
c840060fb2c29d0f77a5e60448a46ace7a9cf0e39915dabf1fcc4e741464b3083136b9e131aab01f290a3610743c8468900678ad6bcf7931cf8420c927f33b99

Download Submit
memory/1984-21-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-27-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-242-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-244-0x0000000077882000-0x0000000077883000-memory.dmp

Filesize
4KB

Download
memory/1984-245-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-243-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-209-0x0000000077882000-0x0000000077883000-memory.dmp

Filesize
4KB

Download
memory/1984-208-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-217-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-196-0x0000000077882000-0x0000000077883000-memory.dmp

Filesize
4KB

Download
memory/1984-194-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-186-0x0000000077882000-0x0000000077883000-memory.dmp

Filesize
4KB

Download
memory/1984-177-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-167-0x0000000077882000-0x0000000077883000-memory.dmp

Filesize
4KB

Download
memory/1984-157-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-149-0x0000000077882000-0x0000000077883000-memory.dmp

Filesize
4KB

Download
memory/1984-126-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-106-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-97-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-86-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-84-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-82-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-80-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-77-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-75-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-73-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-71-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-69-0x0000000077882000-0x0000000077883000-memory.dmp

Filesize
4KB

Download
memory/1984-67-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-65-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-63-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-56-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-57-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-54-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-52-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-50-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-48-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-46-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-42-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-39-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-40-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-35-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-33-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-31-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-25-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-23-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-20-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-185-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-165-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-147-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-138-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-128-0x0000000077882000-0x0000000077883000-memory.dmp

Filesize
4KB

Download
memory/1984-116-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-88-0x0000000077882000-0x0000000077883000-memory.dmp

Filesize
4KB

Download
memory/1984-61-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/1984-37-0x00000000006F0000-0x000000000075C000-memory.dmp

Filesize
432KB

Download
memory/4456-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download