ee0165fcf6d051a41465fd2cbeb3533ba25ff7074d1b2e495c9233aa03a1d041

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fced773e5ab895a57c291a517ec124b0_JaffaCakes118.exe
Size

46KB
MD5

fced773e5ab895a57c291a517ec124b0
SHA1

a48bfeba5199a902a5311277ad9b1320a29e229f
SHA256

ee0165fcf6d051a41465fd2cbeb3533ba25ff7074d1b2e495c9233aa03a1d041
SHA512

19eee62d12a7886717fee5852242ff1483e65c01635fe115845a27f6845afdff3a194aa5c3e8418847bed830a7144d5e60299be80bb533a59c719f0a7da1a403
SSDEEP

768:GgmOj1ahvYXROzxRceinLO6Fo4mlD8D3VzAwIOZTTCctWJxrUnbcuyD7U:hRjshSRO1CDBmVlD8DF8wIqTTFtG9UnZ

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1576-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1576-14-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system_host_run = "C:\\windows\\system32\\rundll32.vbs"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\system32\rundll32.vbs	cmd.exe
File opened for modification	C:\windows\system32\rundll32.vbs	cmd.exe
File created	C:\windows\system32\rundll32.dat	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3664	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4536	1576	fced773e5ab895a57c291a517ec124b0_JaffaCakes118.exe	93
PID 1576 wrote to memory of 4536	1576	fced773e5ab895a57c291a517ec124b0_JaffaCakes118.exe	93
PID 4536 wrote to memory of 2820	4536	cmd.exe	94
PID 4536 wrote to memory of 2820	4536	cmd.exe	94
PID 4536 wrote to memory of 3664	4536	cmd.exe	95
PID 4536 wrote to memory of 3664	4536	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\fced773e5ab895a57c291a517ec124b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fced773e5ab895a57c291a517ec124b0_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D0BD.tmp\D0DE.tmp\D0DF.bat C:\Users\Admin\AppData\Local\Temp\fced773e5ab895a57c291a517ec124b0_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\system32\rundll32.vbs"
    3⤵
    - Drops file in System32 directory
    PID:2820
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v system_host_run /t REG_SZ /d C:\windows\system32\rundll32.vbs /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D0BD.tmp\D0DE.tmp\D0DF.bat

Filesize
832B

MD5
8b6306fff6d657f87d69021f53f3b4b4

SHA1
e8cbb37ad50e81888c1511b22ae3ccd81e968a7c

SHA256
ba2451746336d60a034eddfe0bdfad4df736892eb8394e297368463b1858071a

SHA512
baa41a83f983fa49612646cf48d516dbc8c9c11eabbb68f6544619cb8f0f8c98f2f92bdab45589eea8fee37a5ec204f6ece399bdbc41b6df048aeb059c1fc7cb

Download Submit
C:\windows\system32\rundll32.vbs

Filesize
241B

MD5
eed50ebe3d3592af1f896420577c48cc

SHA1
d99b8a29d215ef1ece17773cb27c95c7246a38b6

SHA256
6f7edf24d2009c26ff1411c33a8406468f6c0e2dec869d6c2810669434eb871f

SHA512
77555c56c269e6cc6a468e5ba9674b9243379322d7b8cc7c9ae86d8f6b53d92d53a79c0c02f3cc8fd3fca0e3e83894d2e7c399a69fb99b40c26ec2c1f2a79ed8

Download Submit
memory/1576-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1576-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads