bfa0a6a94f9f940232cad86f2ec9c1a52e5de7b8e29cd22681eed52df8f6ee20

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe
Size

16.6MB
MD5

e9fa19fb977b56defd431dad3ab7f58d
SHA1

6c4560c770106bd547667e5568dfc5b629bb5818
SHA256

bfa0a6a94f9f940232cad86f2ec9c1a52e5de7b8e29cd22681eed52df8f6ee20
SHA512

61f117667e4d1228254de5d500c246597e6401974998fa388b33e9af08c61d2c7a97637ce38df2a36736a02d50a5ccd09c57d1788292a3b7f20ba685681f16bf
SSDEEP

393216:y8j1ATZJ1RW0b4vhB1yZCvWyXrHrhqnB9E1V6r9IL/:r1+1q5B1v7bHrO94VUuL

Score

7^/10

themida upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1064	PES2012Patch106.exe
4204	setup.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000b0000000231b0-7.dat	themida
behavioral2/memory/1064-15-0x0000000000400000-0x000000000047E889-memory.dmp	themida

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3516-0-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3516-105-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 1064	3516	e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe	89
PID 3516 wrote to memory of 1064	3516	e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe	89
PID 3516 wrote to memory of 1064	3516	e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe	89
PID 1064 wrote to memory of 4888	1064	PES2012Patch106.exe	90
PID 1064 wrote to memory of 4888	1064	PES2012Patch106.exe	90
PID 1064 wrote to memory of 2004	1064	PES2012Patch106.exe	91
PID 1064 wrote to memory of 2004	1064	PES2012Patch106.exe	91
PID 1064 wrote to memory of 2004	1064	PES2012Patch106.exe	91
PID 3516 wrote to memory of 4204	3516	e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe	93
PID 3516 wrote to memory of 4204	3516	e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe	93
PID 3516 wrote to memory of 4204	3516	e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe	93
PID 4204 wrote to memory of 2400	4204	setup.exe	98
PID 4204 wrote to memory of 2400	4204	setup.exe	98
PID 4204 wrote to memory of 2400	4204	setup.exe	98

C:\Users\Admin\AppData\Local\Temp\e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\iss.tmp0\PES2012Patch106.exe
  "C:\Users\Admin\AppData\Local\Temp\iss.tmp0\PES2012Patch106.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iss.tmp0\setup.bat
    3⤵
    PID:2004
- C:\Users\Admin\AppData\Local\Temp\iss.tmp0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\iss.tmp0\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /p "C:\Users\Admin\AppData\Local\Temp\{0B75A20F-A3AD-4529-B31A-6AE635C37064}\Patch106.msp" REINSTALLMODE=omus REINSTALL=ALL SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\iss.tmp0" SETUPEXENAME="setup.exe"
    3⤵
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is3D7C.tmp

Filesize
1KB

MD5
e48def12f85132741735b067abadb174

SHA1
6ff1e37e25cd71d3825c553a44b746e2287c7bff

SHA256
766a76524cc1a9f2d57a0bb15a42f8eb14c93cfe852cc0e48fb4964576e2b793

SHA512
bdf14ab3bee25a49f19c71ac6b42e3abc8a492580817a0229648c77399ce2e88aa593adf6ee5f51aae0018b3fe9ea80c60dafe7b792a2cf2191211e9be214da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss.tmp0\PES2012Patch106.exe

Filesize
233KB

MD5
777b643e9b61d7d240b867029a04547d

SHA1
3b0c4dc2eb5a6540eb214f035cce0da7876d9155

SHA256
e42b216953ce10d8ce84b3e536f1119c494e15dd828dfe80aa9d95bc0261f7ea

SHA512
956bb5fd11f7f40284b3c1f4891b71cececeab57f7dbca025b716d9033cd8eac281320dafcdbf96a9421731efe0baf6b994013e899f92cb7d88d68067bb72572

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss.tmp0\setup.bat

Filesize
183B

MD5
c1fe28641bfb1c5db668dbc1abb5fc6c

SHA1
9cfbe8922d10262ddda79057e17dc26ac3b97a4a

SHA256
bdba16795d1c8314726ae86f9841d6297a937d62e81fa22d50caafd52e1dc981

SHA512
2dd5aebc9e7175e7cb1f981742c9644316e7b655b490bf8b7fcead407761a2535ea4291f5e2610b22e8b73bfe7f4cde2d1638ee54d1162051eefe9bbc305b58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss.tmp0\setup.exe

Filesize
16.5MB

MD5
07e79ffa8d7e3148c9c16537d97d10ff

SHA1
fdf1651c88e27da4b433497c420212b1e33cedf0

SHA256
698761f785aede8281bd10ee1fbd2bb5a4f350ae1c18a2119aac78e6785412a8

SHA512
71518e653702d3cdd783b79f071ca715d019c88c229dddc86698e4a2f9b6c56b36eb132788c2eadc3987355941c15c55df7b070f693f3561e116261f148d55be

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0B75A20F-A3AD-4529-B31A-6AE635C37064}\0x0409.ini

Filesize
20KB

MD5
36affbd6ff77d1515cfc1c5e998fbaf9

SHA1
950d00ecc2e7fd2c48897814029e8eedf6397838

SHA256
fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3

SHA512
2f29de86d486db783872581a43a834e5064d1488bc3f085ddc5a3287eb9ee8a4ce93d66f7b4965cafb3c4f06b38d4b0fcfdc0fcb1f99d61331a808e5d6011808

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0B75A20F-A3AD-4529-B31A-6AE635C37064}\Patch106.msp

Filesize
15.7MB

MD5
bb729faf320043046711052c3211d378

SHA1
495853a5a5f8040bcad55db6282b0a7e172d0f69

SHA256
f9bdb2a3b7d7028b860cc28bda2cf259e238a6ebcc952d50a88c6f6decb760a0

SHA512
4b86f3cfc4851b2dad32041d8a74347995e19b61f877105e10870dda355bba48b4a214616d8fe54a75b00a9ce85ac56e2d03a631aca9fff171960b880f4b4ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0B75A20F-A3AD-4529-B31A-6AE635C37064}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0B75A20F-A3AD-4529-B31A-6AE635C37064}\_ISMSIDEL.INI

Filesize
600B

MD5
0ec01386b8664ceb528e98b6eb949735

SHA1
4ea397d254a8c6a257afaad367663b84339aca4e

SHA256
3a41858b8ec0905c9be820d8683ca795de7ccbf5795727294ab1b1215ec721b8

SHA512
85d81e3095602909404df567e584fbbc2c9bba3a65638c7b553d520ad478df9011f4d5898e2ff8611f317a2135e7cacb386f08483182626106d8598ffb8ebff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3D7B.tmp

Filesize
4KB

MD5
8c802f13322ef60e098c08e01b9987ab

SHA1
9a986a2a07e072ab39ae7a0b9c230f1592c498e9

SHA256
982c89ca9800c36870fa33a7fb3dd1634c0911f08f13dea702228e668d67cbec

SHA512
9f21e38622a8c9a1876db51f8d03111acbdbdfb8f0d7a800565f311195b18a3ff301ed29986742ce0a3a9d40cc506e0fe399d67ffc2965457ccd96755b239fa0

Download Submit
memory/1064-18-0x0000000000540000-0x0000000000556000-memory.dmp

Filesize
88KB

Download
memory/1064-19-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1064-20-0x0000000000400000-0x000000000047E889-memory.dmp

Filesize
506KB

Download
memory/1064-15-0x0000000000400000-0x000000000047E889-memory.dmp

Filesize
506KB

Download
memory/3516-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download