Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
17-04-2024 17:35
General
-
Target
f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe
-
Size
530KB
-
MD5
f6502fe2f8d492436051cff7a249b961
-
SHA1
7d0ef66098f863ce44e277348e64938c5bbfefd6
-
SHA256
5623a900a9d242177a0b737deb794982eb2c37d09dc1c4c9f0af76b20a0657b9
-
SHA512
e9b2bf646f325a57f5d5ab026765b481baf56013f4591581d1d88bfd9dba709f128f80af07b276e42c87d0fb470627631a02350e42e117a40ba424b8f4b41c44
-
SSDEEP
12288:9X8PGfk+V8Lr47O8kZD3HTVARkgt0tAsCQLWGYLL:ZSj+W4hgLBARkgOCQML
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Testing.exe"C:\Users\Admin\AppData\Local\Temp\Testing.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Testing.exe"C:\Users\Admin\AppData\Local\Temp\Testing.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 5926⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 220 -ip 2201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5246a200ee8db2230455750e6becb3f2a
SHA1547ef76d3eeef614a8a37baf03e462af21129fe6
SHA256d719faea7ed8f1680e914b1ba2c5ed22962523ab3053f0bdc7a087d04c04d16d
SHA51270f3b7b4536fbfa5d40c904ebe40ac52ffad918301c0303afd5757d98a3c0a8133d36733136e6e883113cd3d10b75f536261368cc930ed62e2e05c19ff624136
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c44c942ee96a70a9e9561bcb83c80dec
SHA1847ca80362721f0b5dd10edff794c1c6defba373
SHA25632e8499b5ee7fbb149b10b5b2141cabcf32d4697aa66130f94248657939db4e3
SHA512478f7d11f7ef3650363ca0ac4429d4a8327409b26535b9e1d3aef2cd6ab7555e74df6fc23503234f10b44141a677a2de391d9d11d6c2918f824468f20b52a83c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5398fdc6f9f6a4772e086a141517fc033
SHA13dcf17d0a78ae669ec58310692e5755b3ca3bc6c
SHA256cee7eea49cf98365b7f638a39ca9df78bbad5f9b9f156e8f92a66868cd655a92
SHA5123f18189d3bbee9d56521f264f81f1f7746cc717e2acb1f4df14ace7c646dbdc233a234061bb2619d0304a0b3fe43c9966f2381ad4f3e582215beecc578fb0367
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55a9b5e1b6afd48e45a9daa96cf816580
SHA1d7bc516473b6d777dee841e8671f0d2a116b386c
SHA2564c908b07a2a36acb500de253d80dd70fa9d483266d698bd84e458c316d200dbf
SHA5129822da645112fc79cb4c03ca12fbbe58e55f11f56275496bb977cedbe02e38efd8631c881834f3b1dc4a0a0bf4f886a08211c4a06ef08150df6252b9dc708e68
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5179ba186b21fa44ceab50b7d92b0828e
SHA1c57f049e00ced758f68a1fcdca867299eaeb65b0
SHA256c7c2d62a8e6cb54daff3b80eb5574a000c4e46e871b201a9742c9e1606b240c3
SHA5124d8baf79b8f71018b865595a25847723818033e8ca9ca351356cbee81df808a9ccf7d334d804b834469717bc56a02dcb0b7f4e93246ae356bd672984f8afb2be
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54be75c847a0488208738ddb1e17b6381
SHA1f79f3df86a6581b93891c9ed29b4360548a1199a
SHA2561dd6b93a12db99bdf685470e97f6b4f3d3e1638f7b71f35f2793315a55d499ba
SHA512094b4b37eb44fec1eaeb1e043beb9e5dd0db1fbf7e9fb98a5f0662a8d83bc92abba948ca0e71a3461d15ccc3dd02199d094eb3cb8bd54419515a6d0b0db93b3c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD545e7defba5c0203ae1168f0ce056dfd5
SHA1f09eeb6e1ef276b145bb915d4b6aea1584a613e3
SHA256c11d8468976a0c39e209bc3006fb85205e821ca025662f852e4fab442971e876
SHA5128ecb08170b253259598c844cab270b5842666b1324f67b727d9550d19cc9e174559f1e053afa682298f7e0a042b1aec0d6148866b32f6f1e6ea1bfca58c7d933
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55f7b9675433fa983fd1baf5db5219ca2
SHA1d9f4e9b376a78c179b639ca595ec7d4314fa01b0
SHA25684093636a666012d803756375105e6e8f0b13fde779f4e12d5acc3a4f83adb56
SHA5127eca92416d2949dc47d06340e3a484fe0c68ec87db5d38180c6b99684bb6a6dc7897bdae25bdb799a38f076ffcc8f369cb99c09554ef38421385360a63ce93a4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a932e66a9e3b430908bea627fa69d8a3
SHA1415fb98f398d7f8d2fd2283a91aee6054c3aed30
SHA2564e21765d18aab245aef29236c7b6e3a9e31a5d6aaa4864b033e97926669b610e
SHA5121be493d84bcc733fc91b20924ae62a75bebf6b12c572e1b45bceed0692514239d7527a802072947c57967d22274b779da481cbe922f4582abbf10fe2218805c4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58b06bc695616e6daa2f917a15f283151
SHA102372e1208fd332a94ed445d9cbffcde2da08f86
SHA256d1d598eafee3b9170270fae0bd9ceaaeef943b1f1c8a6e7fd62ba6806f45cbaa
SHA512bd35bfb9860e41192280a02c74734d8756f3a2f51a22795eb32f22e19e2f69c8abe919426c4fbff1049f5f22b3b62fb02499179db10d4bb75cd9329fb6e406a5
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD560e6b3d9586d7295b89e7e61c57d0497
SHA13b6bbf6db8a56fc9c51596a1a51cab95cb086782
SHA2564632860f639e9d4dc91c0555b5a0d0106e911a35ad10e36c3bc21ac9e5c1130a
SHA5128320ed70c399478cdab465677ec02566460e868219da0c1e2c27f7c4d344be6711770fa32481afef32682a63a3af69fc8eb519fc8e767a8e73b77515288b15c3
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5be3b8886f20ea6a3175bd69b9577c6f6
SHA13f3ac37053eb310e4e79c0f7446d517a6b13f26d
SHA2560b615216435a5130666646ada3189640df623419ddbf10f5b1acddf3a139ff24
SHA512c0a451d993adf4d8b7e715531c947286fcc8463b74c8fa635d94fb80a3e00578ebe067729000ce7457985d6359a1123a77a6b4d9eea8979560f2788669d620ee
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD540eaf928d0369e0f29092423510c29a9
SHA16d9e259b8f1c7b92a24ec24b1ee884fb53493019
SHA256b1af80668cd7aebc9bed8dbe590232fc7c89f733b0b73e8c62b4810de9e63663
SHA512d90f64dea676f994498ad9054539d3e3ce6ba49951f139cc4e245a44f403202af66b43cb8fcb9e5fc6120eb4376b41a6d13aa63f46c2c90da382b21271e3115f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b0838df9e181885aea7c6ed6d249f4cc
SHA1cfee3e54cc68f47928db5ad37b391ec8cf853b84
SHA2560c9b1d790b20cbb66298ba5c5252cf14759529f96f239195570c498b57bdd5d3
SHA512970c32f55b786d3e62941475290400d08b5fd2f00c4a7fa553252ada7ac987ae7d6da07985006d4794e7cc9f78762069d35e89e26d9ca89ceaed5f145fef6300
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ee0cc6eb4643a60c2367e4ed157a1a2d
SHA11a08792d51482751ed5c4c422059dcce70fc7c65
SHA256aaecad526247b5444f5baf7421fa611b47413d5c4ae28523e6cd2cdbbd42c62e
SHA512e599d305aafd7833ee67d5fdb4214d1d5706825a1f942e829b7ad540a64aa5c46a160ee7bb7f750b791675752b990f34a1d0b84be3f93c86a5d09a0db1ee216a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d7ea396d39fa7d9941f542dfa72b738e
SHA16adea0e35b6831b9bf16cc67ef90e6b57061c8fa
SHA2566d7a127e5b9789ebefce5470188b83cb977f2914306637efe077311625708a82
SHA512def6b1473b8883f7ffebdf60f669a6cc6737c5099b1fcbabe219221616af3cdd3d45181f0f42e7ef87cc2fac6227828225edbfa9302ba89b8cd77c016a86112e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5471ad42abf8c756e1acb3fee0fbcd915
SHA1bd3da7ec30399779d9f8bd3ac899d9000e4ab313
SHA25652d83c569a6dd0dc03b08de57d5adb48bd9411296b815ac792ee761e543d3a53
SHA51260cb9f3037a1c95edb30025d8a50af657dc3b283cceed6ac5e0fc0981e418e4840c075126dd1594f06905646615a37c9a873d6079b86a14c81ae6f76cb4687e9
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e63eb29dd2e3d73ef79256d3c4937cac
SHA1bfe62e9ada9ec19d6a2ff2c2d528e93ca0c6595a
SHA2569fd33fd0c2dc0476e8fdb94b7853433fcde0e27b8998e84eedb73bb549424f83
SHA5129d513ae48bea3e419ef3f14569f01a49369af4ec75198b295d933452387a73045a9e7ef38d2e07ecb303be331246a508d3eaadad88007e534ce286870a38b91a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51cf8aa6624b5234bb3916b0f8b4f0971
SHA19f4aeea3fed663a3ff678b6811d6f898eebffd87
SHA256b026255540770d8ec70fb7f85c736b49dd3efdede9aa6790bd104b74c20c80d5
SHA512541600641ccc139de8c1b24bb5aa75758aad82ad20354532b3997baf457f162ed6732f9e194c36281d28ffd13998ac1999ecb1b796ce2f94ae30c596191a2144
-
C:\Users\Admin\AppData\Local\Temp\Testing.exeFilesize
296KB
MD5ee9b34767367aaa660049adb43c094de
SHA19884c5d7ef3eb03591515e6caac0ed70a62d7689
SHA25606d70401728ba068a54e4a1facf2a533f7b05530a433c4066175163094a29e8b
SHA512455e326f24a7b388f32b5e742c8eef1148fef0387e35c403cfbe920b1dd6bec8362f0c95a5c7e87898b648d051f097efb76e523eb9ccdb79c63f3c95c9272d82
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
memory/448-74-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/448-14-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2432-19-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/2432-77-0x00000000035B0000-0x00000000035B1000-memory.dmpFilesize
4KB
-
memory/2432-78-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2432-79-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2432-171-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2432-18-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/3956-1440-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/3956-151-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/4420-0-0x0000000074DC0000-0x0000000075371000-memory.dmpFilesize
5.7MB
-
memory/4420-112-0x0000000074DC0000-0x0000000075371000-memory.dmpFilesize
5.7MB
-
memory/4420-2-0x0000000001A80000-0x0000000001A90000-memory.dmpFilesize
64KB
-
memory/4420-1-0x0000000074DC0000-0x0000000075371000-memory.dmpFilesize
5.7MB