1b5407e195523efb8b3a0a8f158a4711d7542566814e0768561bfa344f8ba01e

Analysis

max time kernel
144s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
Size

356KB
MD5

1a803aa01ae2e2d63cc77268df29cd81
SHA1

cffd01a22412e9c97d452eba82afeaaad68e80b7
SHA256

1b5407e195523efb8b3a0a8f158a4711d7542566814e0768561bfa344f8ba01e
SHA512

cb003bf9d6afdadb40a5e72f4930688d082947c489d30f3dea6d834ea53e8a4c9991df9a9fcdbfc22337d28643ea2228c89cd511a1c048298ff5bee782ccefec
SSDEEP

6144:zWv4Cm0pH6+aBYHoAaqWeN+m0t11BLefT+in19wOlDzPGUC:zWv4Cm0Z0SoA570tX059wOlDC

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

1277497836.exeinstall.48596.exe

pid process

4284 1277497836.exe
3212 install.48596.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe

description pid process target process

PID 1336 set thread context of 1376 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1052 3212 WerFault.exe install.48596.exe
2328 4284 WerFault.exe 1277497836.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe

pid process

1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
1376 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe

pid	process
4284	1277497836.exe
3212	install.48596.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe

description	pid	process	target process
PID 1336 set thread context of 1376	1336	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe

pid	pid_target	process	target process
1052	3212	WerFault.exe	install.48596.exe
2328	4284	WerFault.exe	1277497836.exe

pid	process
1336	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
1376	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe

description	pid	process	target process
PID 1336 wrote to memory of 1376	1336	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
PID 1336 wrote to memory of 1376	1336	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
PID 1336 wrote to memory of 1376	1336	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
PID 1336 wrote to memory of 1376	1336	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
PID 1336 wrote to memory of 1376	1336	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
PID 1336 wrote to memory of 1376	1336	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
PID 1336 wrote to memory of 1376	1336	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
PID 1336 wrote to memory of 1376	1336	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
PID 1376 wrote to memory of 4284	1376	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1277497836.exe
PID 1376 wrote to memory of 4284	1376	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1277497836.exe
PID 1376 wrote to memory of 4284	1376	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	1277497836.exe
PID 1376 wrote to memory of 3212	1376	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	install.48596.exe
PID 1376 wrote to memory of 3212	1376	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	install.48596.exe
PID 1376 wrote to memory of 3212	1376	1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe	install.48596.exe

C:\Users\Admin\AppData\Local\Temp\1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\1277497836.exe
"C:\Users\Admin\AppData\Local\Temp\1277497836.exe"
3⤵
- Executes dropped EXE
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 432
4⤵
- Program crash
PID:2328

C:\Users\Admin\AppData\Local\Temp\install.48596.exe
"C:\Users\Admin\AppData\Local\Temp\install.48596.exe"
3⤵
- Executes dropped EXE
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 272
4⤵
- Program crash
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4284 -ip 4284
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3212 -ip 3212
1⤵
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1277497836.exe
Filesize
95KB

MD5
c8362f57cf7a2271a20c8056cc49b65e

SHA1
5d6740e14c0c6030bf5cb288ca4b1cad2e8a9a1d

SHA256
9dbee09790bb0eff14a644fb7d4e5fc5fcec019aa0c80e4c8778076ba329eec8

SHA512
a7fee49f3176658390ea23c077b7945eeb0dc6a8b3eec1f60d7d10e4645439e39cd7d0de8368d16fc9c06f2b5d05fb5f77de6f73edbd82b0372b4b83fe9a3494

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.48596.exe
Filesize
124KB

MD5
97232d4a91eebac55a4aa3037ef676b3

SHA1
00a7dd88a5c9aafd7f82352457b6b578c69a2539

SHA256
981faf0980638057cb656e7921257ff3a2a44231c03495f7e6a19cf7ece20754

SHA512
e5825f34f8ca6f164f8ae76a2d1a4670daed257733df764cc60d60f7e5f10c13478d3c757dc7de5028f1dcdd00343d16ff4ea500e7a9ce8951772acca2120ccb

Download Submit
memory/1376-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-4-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3212-29-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3212-30-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download