328ce7e6262695a3fccbd1e1faf5ef0a119bf58eb7263ca4f3c1ac6a747aa5b6

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

003ebc02979788d54503d677624b9573_JaffaCakes118.exe
Size

3.0MB
MD5

003ebc02979788d54503d677624b9573
SHA1

e1c8371cb1528b3349edfd56b41cdc0b25789aa1
SHA256

328ce7e6262695a3fccbd1e1faf5ef0a119bf58eb7263ca4f3c1ac6a747aa5b6
SHA512

e6e4581454c9dbc595c9fb489b0d5972dca0d71e8bafd188d19127baa8348c9a82f97e8388c2b3485a09739c19d3fe1653185cc0d0423117ba72887e01eb641b
SSDEEP

49152:4XkFaYyNnAkRnBLR3CzyHiUQrGlVWNApdgmL2z1MBLzqy4H5t6Jkg7Iy3:xUT5AkRBLR3g2iUQrK8OjzLyhyYamK

Score

8^/10

vmprotect

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

tolmkat.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\tolmkat.dat	tolmkat.exe
File created	C:\Windows\system32\drivers\tolmkat.dat	tolmkat.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

003ebc02979788d54503d677624b9573_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	003ebc02979788d54503d677624b9573_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

tolmkat.exe

pid process

1628 tolmkat.exe
Loads dropped DLL 1 IoCs

Processes:

tolmkat.exe

pid process

1628 tolmkat.exe

pid	process
1628	tolmkat.exe

pid	process
1628	tolmkat.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\tolmkat64.dat	vmprotect

Drops file in System32 directory 2 IoCs

Processes:

tolmkat.exe

description ioc process

File opened for modification C:\Windows\system32\tolmkit.dll tolmkat.exe
File created C:\Windows\system32\tolmkit.dll tolmkat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tolmkat.exe

pid process

1628 tolmkat.exe

description	ioc	process
File opened for modification	C:\Windows\system32\tolmkit.dll	tolmkat.exe
File created	C:\Windows\system32\tolmkit.dll	tolmkat.exe

pid	process
656

pid	process
1628	tolmkat.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

003ebc02979788d54503d677624b9573_JaffaCakes118.exe

description	pid	process	target process
PID 4804 wrote to memory of 1628	4804	003ebc02979788d54503d677624b9573_JaffaCakes118.exe	tolmkat.exe
PID 4804 wrote to memory of 1628	4804	003ebc02979788d54503d677624b9573_JaffaCakes118.exe	tolmkat.exe
PID 4804 wrote to memory of 1628	4804	003ebc02979788d54503d677624b9573_JaffaCakes118.exe	tolmkat.exe

C:\Users\Admin\AppData\Local\Temp\003ebc02979788d54503d677624b9573_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\003ebc02979788d54503d677624b9573_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\tolmkat.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\tolmkat.exe" /unionid 12001
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\tolmkat.exe
Filesize
43KB

MD5
e0288aecf2a061999489fa4644d5a9c0

SHA1
e05ae14b6724da389927fd0a764a18afef38ce8e

SHA256
c2f12ce607a029ffd56b4c66c74b7a65d8bd7528bb6a14d19970c508492dcbda

SHA512
6e7fcbaff7ade86a23d2d81c883904a3e5e919345286704f872d88aabaed70722f98d1642fe8a7c1ac6d0da07a4b074b6ba192878bfe1238f6daca989f0a3523

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\tolmkat64.dat
Filesize
946KB

MD5
c1d4bbba4b1bf363aef1cdeb1c6008f4

SHA1
c3d8b933f012f63e51c3c5bf03386dcc2d1448dc

SHA256
e274d03846011555b396e14978c88306a07d222a12334b25106a095d5674e787

SHA512
b3b8bcee4e3d097e9adb77f076cf9e9b3dcb0d221ea1ba12fc597704228491278d3eada48ba0b3d99aa21e97df90046f538f0c66363975aaeb00161c67211541

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\tolmkit.dll
Filesize
986KB

MD5
5a61dab6c238733a85785b14a763c5aa

SHA1
0093a016f0ba8f966adedad231cfc8adaaf28eea

SHA256
2701ef3d23fb698d68241460f276621d859c95ed29d164370e7513d18df92c3c

SHA512
8a5c60d992e171a5a52a4fae1edea064cd7549e18c47fd0c5bdcb85a31d1a9f03c5884fa02cafc38a603fc62f6df0b303bf1d085038aaa3915a9fe140f82c08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\tolmkit64.dll
Filesize
997KB

MD5
46e9ce826393ceff27bc3b0d35ef15ef

SHA1
c7c354e1af0095fa15ac72d0a00fd8a5482d0c43

SHA256
e05e6b802af4cf5b598012f76c79a95d5577c6780ee4783d941fe1259f0b603a

SHA512
7eab26f850410328d5f1055a3fe4436d8c72f8da844f82a5cd5f6c48dd865c83cdb1e484744be4f4b8ade7c924ed67a7ea6922c000f613ec0998441262d84208

Download Submit