762f8497e5c2b9ce01f00b27f581fcf520dc5a2c481dad7948801fe6ce4fb953

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7a9ea533f97172e64ae9d8509d7eaa2_JaffaCakes118.exe
Size

2.2MB
MD5

e7a9ea533f97172e64ae9d8509d7eaa2
SHA1

db2258cac6ae063c3349e8c14acd929a2a5f4f43
SHA256

762f8497e5c2b9ce01f00b27f581fcf520dc5a2c481dad7948801fe6ce4fb953
SHA512

df3e04c84bef9616ad5530ab9cd413e197415192a25f8a1c63588c09d4b4b8d4d18e88c1b50d028f859ec4c978e49b614f242b455908da53e8dd559d6c045294
SSDEEP

49152:O/aoYUrbV6cdRJodwU0FeV6mIQ45UC7DqWiAvFrVw2feB8HW1mc:Ea9IRzdnReV69Q4mMDqtAFVdDWf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	e7a9ea533f97172e64ae9d8509d7eaa2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	rinst.exe

Executes dropped EXE 3 IoCs

pid	Process
2952	rinst.exe
2268	SandboxieInstall.exe
2252	SandboxieInstall-64-bit-240611421.exe

Loads dropped DLL 3 IoCs

pid	Process
2252	SandboxieInstall-64-bit-240611421.exe
2252	SandboxieInstall-64-bit-240611421.exe
2252	SandboxieInstall-64-bit-240611421.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kw.dat	rinst.exe
File created	C:\Windows\SysWOW64\svchostwb.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\svchost.exe	rinst.exe
File created	C:\Windows\SysWOW64\svchosthk.dll	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023235-24.dat	nsis_installer_2
behavioral2/files/0x000700000002323e-40.dat	nsis_installer_1
behavioral2/files/0x000700000002323e-40.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 2952	208	e7a9ea533f97172e64ae9d8509d7eaa2_JaffaCakes118.exe	86
PID 208 wrote to memory of 2952	208	e7a9ea533f97172e64ae9d8509d7eaa2_JaffaCakes118.exe	86
PID 208 wrote to memory of 2952	208	e7a9ea533f97172e64ae9d8509d7eaa2_JaffaCakes118.exe	86
PID 2952 wrote to memory of 2268	2952	rinst.exe	89
PID 2952 wrote to memory of 2268	2952	rinst.exe	89
PID 2952 wrote to memory of 2268	2952	rinst.exe	89
PID 2952 wrote to memory of 4156	2952	rinst.exe	90
PID 2952 wrote to memory of 4156	2952	rinst.exe	90
PID 2952 wrote to memory of 4156	2952	rinst.exe	90
PID 2268 wrote to memory of 2832	2268	SandboxieInstall.exe	91
PID 2268 wrote to memory of 2832	2268	SandboxieInstall.exe	91
PID 2268 wrote to memory of 2252	2268	SandboxieInstall.exe	92
PID 2268 wrote to memory of 2252	2268	SandboxieInstall.exe	92
PID 2268 wrote to memory of 2252	2268	SandboxieInstall.exe	92

C:\Users\Admin\AppData\Local\Temp\e7a9ea533f97172e64ae9d8509d7eaa2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7a9ea533f97172e64ae9d8509d7eaa2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\SandboxieInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SandboxieInstall.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\system32\pcaui.exe
      "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {218d2995-cee9-4129-9896-a492a952b4ea} -a "Sandboxie v3" -v "Sandboxie L.T.D" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 1 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SandboxieInstall.exe"
      4⤵
      PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\SandboxieInstall-64-bit-240611421.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SandboxieInstall.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2252
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SandboxieInstall.exe

Filesize
2.0MB

MD5
5b177572876deecfaf985d58f95c87e9

SHA1
1f842e4ada6411e9714c8795594d15d0e1a00a00

SHA256
df71616ced532cae532a85f3cec302173b24db37fcf2b3d7bb420a5d11adb0b8

SHA512
2cda2f46dd7e9855d6b6af13b09a062b509feba2828ea96e9a164a470d965357fadf3a1bcf791bb932af3246626a703631df67899655ed621aed37d476e418db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
1fb6ac36b264ed12f5bd1f82af581393

SHA1
c4443c85637230bf56f8f50b23ab6696a1ea92d7

SHA256
588b4ccec760a71c9664943ccbc77a5c7477c96befee3628f7968e6a65e4b31a

SHA512
a874c467154f2fc5ce53fe0965702bede654b67fe4ea8c9114ca2efa7037ddc0044533166069d0ac9a5accaa7f5c279d5e552e42b4aefe3fe88651da09d71911

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kw.dat

Filesize
11B

MD5
0e3d8689fe15096efc6561f65d39baa9

SHA1
6a00effcb4690f56b34f120f2c95b05487498957

SHA256
fbbf44fd2a5ae30a553b34ea9f1c66ffba56c6da68f0bdf9d548a8f65dc4bc81

SHA512
78e6bc378b2403c7a4d8147523a0d93b8cd624f5df4374e514e085ba9b47203eaf864d78b8f3d681d2e41db6087783734e708f9d1d199ff02c2b04141d56407a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
4KB

MD5
1178e882a8b44febf67d037cd0747647

SHA1
060ac6885375585b9bfa15f037cd3067faabc47e

SHA256
b506f106cb65c633e5a68c4d7c22d994bd5641e92653c3ee95ec40577aeeb38e

SHA512
8835207cdc4756701bd40723c1c399da569131596b82d18a4a60eec1dd05af7dcf64e1660e2533fb910f5aca8f8ef3cd9a17c2a0af643be70dae09e1c14a4f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
fbe4bab53f74d3049ef4b306d4cd8742

SHA1
6504b63908997a71a65997fa31eda4ae4de013e7

SHA256
446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

SHA512
d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe

Filesize
424KB

MD5
ebf5493e006a930bbe13f8288038fcb2

SHA1
5702fa165f4dfddae168f995af609ce242a771ec

SHA256
a1cea7787e50d92ec3876c6442bfa892d442b4e5f1d3ee30e1fba77dc898fd7e

SHA512
9723798fd0bb9d90ed17fa7fcd081aa2fb86ffb909ddeb13949a1e0e665a2fe6c52e49f0bd62dab798a0ce43a22611c6062d1baaec2ee50556ff92cfc732a39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchosthk.dll

Filesize
24KB

MD5
d8c9871b9803f4af30478ab6a414c905

SHA1
178c96fdf686b773fdbe3b49ed9e9e4bfb581c80

SHA256
af6dccd2563ec7505c5df2162ff3cb0a3b92480a42be854d0d8c6f943c065637

SHA512
47af343293729c203ea612c2876d7c0b277e90756a08985f71456396d739fa4c47c5c606fb5b239aa484b2b916b17c468b23b315e6db5a6ef45a17c8d002cacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchostwb.dll

Filesize
40KB

MD5
00964ea7511153e32c574024b77cd143

SHA1
732effb9882b3adfa58cd76e3350c60bbf699bcc

SHA256
13601d81f7cfc83c582d63825d7cb19b96cc82d29901bc214fc2ac3eff6748ac

SHA512
a375ff591f3a169d587a65890c7cd0fed86023e68657cca1a0115671e475ad7056ec598c41ffaf57c7aae254545e9cea02ebf5f3bff8ae1bc9e4c5dc07095e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SandboxieInstall-64-bit-240611421.exe

Filesize
1.1MB

MD5
5956bd9e6464505eed33890141fe92d7

SHA1
1fabbc2ee2b29cb61e1b321809b7da6667927f18

SHA256
41380b072915bced1babed676f9a23c64d0ae2d2fdc7b98748a79ff393e0ae0c

SHA512
d4778c9be0740aa3032cbc91f9f6a903c4dce98ca8ce39cb3ee3634dea73584850cdf46c43efe1a97f7d571da92d29db76e50d93defd4a4d227f90adbde8e6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm71A8.tmp\LangDLL.dll

Filesize
5KB

MD5
a401e590877ef6c928d2a97c66157094

SHA1
75e24799cf67e789fadcc8b7fddefc72fdc4cd61

SHA256
2a7f33ef64d666a42827c4dc377806ad97bc233819197adf9696aed5be5efac0

SHA512
6093415cd090e69cdcb52b5d381d0a8b3e9e5479dac96be641e0071f1add26403b27a453febd8ccfd16393dc1caa03404a369c768a580781aba3068415ee993f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm71A8.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
memory/208-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download