f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3

Analysis

max time kernel
182s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
Size

23.5MB
MD5

7b6d02a459fdaa4caa1a5bf741c4bd42
SHA1

4eea45c22881a092ac7a8b0a5379076d5803e83e
SHA256

f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
SHA512

d8d67ba37263832e7f7d0a945a04afe3d9cea24e78a2d82b00463a2ab575ddb0b53f020c9967391c8469a831c3205f68d010d752a17419d7c2bb34ae8dc55384
SSDEEP

393216:zCTLRrqyYTljCQppkgSGlNoggc7k18J1unrY+M4ZtquYfZZrjMaDF1i:zCTLI3TZCQKGlZgc7k181W7fFOjMQ1i

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	NXTPKIENTS.tmp

Executes dropped EXE 2 IoCs

pid	Process
4304	NXTPKIENTS.exe
2332	NXTPKIENTS.tmp

Loads dropped DLL 1 IoCs

pid	Process
1248	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 8 IoCs

evasion

pid	Process
1476	taskkill.exe
4556	taskkill.exe
2464	taskkill.exe
3296	taskkill.exe
4528	taskkill.exe
1696	taskkill.exe
1512	taskkill.exe
4492	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1320	powershell.exe
1320	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1320	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1136	1424	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	86
PID 1424 wrote to memory of 1136	1424	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	86
PID 1424 wrote to memory of 1248	1424	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	90
PID 1424 wrote to memory of 1248	1424	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	90
PID 1424 wrote to memory of 4304	1424	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	93
PID 1424 wrote to memory of 4304	1424	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	93
PID 1424 wrote to memory of 4304	1424	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe	93
PID 4304 wrote to memory of 2332	4304	NXTPKIENTS.exe	96
PID 4304 wrote to memory of 2332	4304	NXTPKIENTS.exe	96
PID 4304 wrote to memory of 2332	4304	NXTPKIENTS.exe	96
PID 2332 wrote to memory of 1512	2332	NXTPKIENTS.tmp	98
PID 2332 wrote to memory of 1512	2332	NXTPKIENTS.tmp	98
PID 2332 wrote to memory of 1512	2332	NXTPKIENTS.tmp	98
PID 1248 wrote to memory of 1028	1248	rundll32.exe	100
PID 1248 wrote to memory of 1028	1248	rundll32.exe	100
PID 2332 wrote to memory of 4492	2332	NXTPKIENTS.tmp	102
PID 2332 wrote to memory of 4492	2332	NXTPKIENTS.tmp	102
PID 2332 wrote to memory of 4492	2332	NXTPKIENTS.tmp	102
PID 2332 wrote to memory of 1476	2332	NXTPKIENTS.tmp	104
PID 2332 wrote to memory of 1476	2332	NXTPKIENTS.tmp	104
PID 2332 wrote to memory of 1476	2332	NXTPKIENTS.tmp	104
PID 2332 wrote to memory of 4556	2332	NXTPKIENTS.tmp	106
PID 2332 wrote to memory of 4556	2332	NXTPKIENTS.tmp	106
PID 2332 wrote to memory of 4556	2332	NXTPKIENTS.tmp	106
PID 2332 wrote to memory of 2464	2332	NXTPKIENTS.tmp	109
PID 2332 wrote to memory of 2464	2332	NXTPKIENTS.tmp	109
PID 2332 wrote to memory of 2464	2332	NXTPKIENTS.tmp	109
PID 2332 wrote to memory of 3296	2332	NXTPKIENTS.tmp	111
PID 2332 wrote to memory of 3296	2332	NXTPKIENTS.tmp	111
PID 2332 wrote to memory of 3296	2332	NXTPKIENTS.tmp	111
PID 2332 wrote to memory of 4528	2332	NXTPKIENTS.tmp	113
PID 2332 wrote to memory of 4528	2332	NXTPKIENTS.tmp	113
PID 2332 wrote to memory of 4528	2332	NXTPKIENTS.tmp	113
PID 2332 wrote to memory of 1696	2332	NXTPKIENTS.tmp	116
PID 2332 wrote to memory of 1696	2332	NXTPKIENTS.tmp	116
PID 2332 wrote to memory of 1696	2332	NXTPKIENTS.tmp	116
PID 1248 wrote to memory of 4036	1248	rundll32.exe	123
PID 1248 wrote to memory of 4036	1248	rundll32.exe	123
PID 1248 wrote to memory of 1320	1248	rundll32.exe	124
PID 1248 wrote to memory of 1320	1248	rundll32.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FCFD.tmp.bat
  2⤵
  PID:1136
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Hancom\hc-c84a2fc2.png" limsjo
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn "ChromeUpdateTaskMachineUAC"
    3⤵
    PID:1028
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn "ChromeUpdateTaskMachineUAC"
    3⤵
    PID:4036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -executionpolicy bypass -File "C:\Users\Admin\.tmp\1893901399.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe
  "C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\is-VMUAI.tmp\NXTPKIENTS.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-VMUAI.tmp\NXTPKIENTS.tmp" /SL5="$50186,6291726,231424,C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM iexplore.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1512
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM firefox.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4492
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM opera.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1476
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM safari.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4556
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2464
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM MicrosoftEdge.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3296
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM msedge.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4528
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM NXTPKIENTSI.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.tmp\1893901399.ps1

Filesize
266B

MD5
72beaa12f95e171e8bc2f716de35a088

SHA1
f39b364171501349bd128ad91d860ad4e6d833ab

SHA256
c2b41fccc51c0826e9539919549e48a2240f47cb2f6007634c6ea9fbaeb37f2b

SHA512
09e553dc73a0f30f6d3e69c5dff8e568365ac7a02fcce2f3cfbeaecb6951857061ecbe75c632cb92dbb96a737835117f8c1d4110eb7b178e6c3304a12e8acfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCFD.tmp.bat

Filesize
463B

MD5
c97d151e0950665179889274b9744310

SHA1
69043e9ce2122b3fd498ca38bb464cf8500f6062

SHA256
b2e82e0831743f1d84931c7008c74fa224f8f271164831afd582d3a2e434eef7

SHA512
10354152e9ed31c6c628f2b14cdf77eb8963347f31e38674ea25142821096ddf72d3a599bdb63523ca2435930cb9dfa3c1af1e01131be11c89a1d18e73f46abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe

Filesize
6.3MB

MD5
eb8d073840e95cf24c9c3f5a2b6470e0

SHA1
2399567292f1e81630997fb4a151786d3e4938bb

SHA256
0dd9aa5b650f519a55c96bf0dee73162d9ba510b60521780c34811de25cd7bb6

SHA512
1347d8898b3e405c3de0ac90ea2880e215b745a58275b6ad8c027fa75c1f449949e7d77f820bb9bca445982b13c9f05f20ae6824445830ff7e65c71d12b18a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vsu0dt1o.mtn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VMUAI.tmp\NXTPKIENTS.tmp

Filesize
871KB

MD5
bba6e056a5595fd2d9b50cce5ce602a1

SHA1
1405ba0d049270b5013a8ce79c879c781a140245

SHA256
5ac7e37459228cb19d9be74e24a4963c28222d8ed2665caa8857ba1c9105401a

SHA512
5a9e86396355e0681b8d2e6c464dc3cb22e96ac6d2d1ededbd96c1de6c05eb2d943ced98985d6ff805d1a42dee256d91e4502edc0e4020f1e990224d5a4d9b05

Download Submit
C:\Users\Admin\AppData\Roaming\Hancom\hc-c84a2fc2.png

Filesize
8.6MB

MD5
88f183304b99c897aacfa321d58e1840

SHA1
4a705f58918c00431de453d5b5f621fa42ff7169

SHA256
61b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92

SHA512
8005d45f6b8321a3a925308c9f5683b868ad7f78cd37be619500d25a1ddd45d282d91ce8275300486c0397b4aefba78b9cd67d4cd50e763e3ca51dffc67c6115

Download Submit
\??\c:\programdata\limsjo.a

Filesize
1B

MD5
4c761f170e016836ff84498202b99827

SHA1
fb3c6e4de85bd9eae26fdc63e75f10a7f39e850e

SHA256
7ace431cb61584cb9b8dc7ec08cf38ac0a2d649660be86d349fb43108b542fa4

SHA512
19d147676eb275f0f0125762f223719fde9958859f5400cc34e2887b64a26d96c3c4f9d5c0fbbda48f22820d4415a68a4fdb99028b3ba19778873a7125e56477

Download Submit
memory/1248-28-0x00007FFFE3D80000-0x00007FFFE5360000-memory.dmp

Filesize
21.9MB

Download
memory/1248-27-0x00007FFFE3D80000-0x00007FFFE5360000-memory.dmp

Filesize
21.9MB

Download
memory/1248-26-0x00007FF803D30000-0x00007FF803D32000-memory.dmp

Filesize
8KB

Download
memory/1248-39-0x00007FFFE3D80000-0x00007FFFE5360000-memory.dmp

Filesize
21.9MB

Download
memory/1248-72-0x00007FFFE3D80000-0x00007FFFE5360000-memory.dmp

Filesize
21.9MB

Download
memory/1320-73-0x00007FFFE31D0000-0x00007FFFE3C91000-memory.dmp

Filesize
10.8MB

Download
memory/1320-75-0x0000019D370D0000-0x0000019D370E0000-memory.dmp

Filesize
64KB

Download
memory/1320-74-0x0000019D370D0000-0x0000019D370E0000-memory.dmp

Filesize
64KB

Download
memory/1320-67-0x0000019D1EB40000-0x0000019D1EB62000-memory.dmp

Filesize
136KB

Download
memory/1320-79-0x00007FFFE31D0000-0x00007FFFE3C91000-memory.dmp

Filesize
10.8MB

Download
memory/2332-24-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2332-38-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2332-35-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4304-34-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4304-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download