2818fc8ec4e02a4db34dea39348baa20a1e01cb6f29013ee993596ecb452fa74

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03773f3a02ddaf0236cbb189f0f58f2c_JaffaCakes118.exe
Size

227KB
MD5

03773f3a02ddaf0236cbb189f0f58f2c
SHA1

dc8744101ac3ab1a50bbe7490d56f44b70c80281
SHA256

2818fc8ec4e02a4db34dea39348baa20a1e01cb6f29013ee993596ecb452fa74
SHA512

73f0fc2b1b6e75d83662e88cf8df7389f51b037f458bdb7a2c1d132db812da73f85b7d302b08ae1bfa464ee2343867c9ad94f4e380f5b5f099f74863e02b7ac0
SSDEEP

6144:yifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVNc/:lfk6kDqHw2hmxlrz2HoSR8/

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	03773f3a02ddaf0236cbb189f0f58f2c_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2288-0-0x0000000000830000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/2288-88-0x0000000000830000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/1988-89-0x0000000000830000-0x00000000008CE000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_uk.rtf	03773F~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	03773F~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	03773F~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	03773F~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1592	2288	03773f3a02ddaf0236cbb189f0f58f2c_JaffaCakes118.exe	84
PID 2288 wrote to memory of 1592	2288	03773f3a02ddaf0236cbb189f0f58f2c_JaffaCakes118.exe	84
PID 2288 wrote to memory of 1592	2288	03773f3a02ddaf0236cbb189f0f58f2c_JaffaCakes118.exe	84
PID 2288 wrote to memory of 1988	2288	03773f3a02ddaf0236cbb189f0f58f2c_JaffaCakes118.exe	87
PID 2288 wrote to memory of 1988	2288	03773f3a02ddaf0236cbb189f0f58f2c_JaffaCakes118.exe	87
PID 2288 wrote to memory of 1988	2288	03773f3a02ddaf0236cbb189f0f58f2c_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\03773f3a02ddaf0236cbb189f0f58f2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03773f3a02ddaf0236cbb189f0f58f2c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:1592
- C:\Users\Admin\AppData\Local\Temp\03773F~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\03773F~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
79a65d7fdadafccd5b9d83029e87f136

SHA1
69d8de203fd3125cbe6bb8c3415e24385325bf54

SHA256
e90498282bf0ed2df8e4cb110f5ae0ddb7ff613f7b4fd3a9f7206053cdd3e347

SHA512
5024cd2c4b4dd67e17299a028e49ad71592bfa9b090dece3d3e8ad165c8d5aab53453f054f052fdba1cafc81494b703d8ab2e6d3c57b9ec2a335926d8cca9ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
535b9d6a69b10b90699970660a68c2c6

SHA1
6ec531711cfcc338cd61b60219da5ec86facbf64

SHA256
db6ac45a3423226b6ad54b84ac681bca5dcf0dab2fdbf58eced05ca658a775ee

SHA512
737518239bcb8d1ca1ba2cc47c0b4d25e927dc909e0208e1a17f8dca774b161a8f391e1c1f9695f24aa3a340d72af3d58bfa2dc07edc78ab3e7e711f81fd2e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
13a7523ed90188387aacaa0517dd16bb

SHA1
217ffccc6a79ae0a854d3259176162daf9bc93b3

SHA256
6ea57efdeac34b57e1f2234c03e8810f63312d7fe9b8b8f2a9fbf7653e8a663f

SHA512
471df0ee85854ffec5a0764057c0e41b7a6fb8801f35446b27ea0d041e350a3f000ea95583b9407b86461416da78e4538c034084102f4a6c76a4ef7b7f2c0970

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
b43b72bf0b83168d8d202d5b417c0553

SHA1
cf88fd1aa57793a8f3cea3df63ee9f374c345bb8

SHA256
a6653015b38bddcac5d2b7ad7b97e97796ea3c712fceee783e4257bb6149395c

SHA512
2bd97a87f73ef2a2c97846aff4b69d7ad87dd85b89e91f66036cb49a71161da51f3e21ef948291e9cdbe7a641afc2764da3dc193d4cc7ed87d433d5a83fbac6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
dbe69b855491d5b5a0a44b84cbdfcb62

SHA1
c761da4e38cdfd5f19a829010c215a3c0c2dbfca

SHA256
6b084522f0f63118d1c6413839d2c26928ae22a2a710d18fc2a2e1459cbad7e4

SHA512
694d24cda95c664bdd2eb8310e825a34a6cc3c1d7ca61557262bfe58f9ba3c3d4c29cab4741852561a42fd6cb4255d59c5ba0942ce61e4176e85a92703ab763b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
243823df7e5cc8f74f3233735c4a9561

SHA1
a6c20e9cacf8653ef8728dd29f4b17c5e19533e5

SHA256
3513e1fc3024f9fcebe06718813bcf7c2e43267f5dcf0a68855f4fbbb15c30e4

SHA512
ddcca66f45949f1d6dfac3b6d7aeef0eb508d9a67f87712d8a25ebb149db0f19b1b9fc2f97f3f6d19c4bc8c9a3943c7cc1fdd4ef1556d94962606cd9f31a7e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
f81d3e52a683181d3a49a3eaeb9651e9

SHA1
cc2c08db9add3b71d64565199a7fbfe111adbc0a

SHA256
1ca3eac2371b59d6069d1319e56bd84997ac7cbaf5426b91e5cc2be16c677edf

SHA512
38fe97b1ea21087f6ace4363f5d71918550025aa0ee49b2ba0276bf5359f56f40d192e543415b96c19849bc659f7e81f399b24af03f3c0cbfa4de66fd9087d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
14KB

MD5
0d065162f55c76da62929cc1afe1732d

SHA1
5a237aff6660fedcf0a6ea0af22164cfbda0d8dc

SHA256
12f7887756a3e48cbab7ad876a25295cc2041d8d598e9df5b62ad9e6b6a81d0b

SHA512
c735bfaad0a04bf9e20f988ab1393552e515c61fe2805d9606091b6d00c4dc83e0af75d914f088d109da012b7982c130460881ab307d4ce41cce4bd482a6ed20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
a52d14d488ea4e031c9fc520d8033bbe

SHA1
8f1120f193ea853496ec36aae450a601f4f636e5

SHA256
e8af3452971930a0cfa7f307c26d63d54dcebdaaee62161f80029f4f06178d70

SHA512
40cda4f915091b980823205050e47aebb571565aea728d57e36f5eeed682a81266afc63c60512d9102f1e72af3c73eea413ade7d22e3ce90828785c13e0672ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
16KB

MD5
36846ab96c29d9d6714f48e34279db78

SHA1
c302834ccf80facf0747768067f4b292ccbdeed9

SHA256
11c56926d81d86a5c20b3942a1ff03cb6b769da3555b2ca4d1e093ed18ced940

SHA512
1b9b0365d740f285bf3a7ada72f3256238d7aae7293ce90ab7afea08d9be85752a58e8dbca579b8535744c7b7ebc0f9d93148351a3aebbd0f55619fda9ed4aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
4896c08a49daa73a0f998ea071b02d8e

SHA1
d36b3e995c460acc930a99cc470873470ec3614b

SHA256
f81d5ed8e3ac63a6f0d1607c3539c79a1146440d27b0e536f236ffc2d6649e82

SHA512
1672ad358bf97dc612dc09a07451d754498c5a84b5a590795a0137ac98499bb93fb851e7f4ee16cd99a1adc2b19109ce33322ac901da676f76d756dc7fc3481e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
49e886fc76d548537c2718874b370093

SHA1
34d78c4c15487afbfc5be8ec40098d94ad7cbc5e

SHA256
d79686491c54557127f339aa05152a20652956465959279ecea046b95d9e6874

SHA512
b0a704f05a8bf4d7d460171d2d030e7bab2a151877a56e455227911175667bcb35e86464e721f7f7e7f8dce1765a6a1bda4dad3a3da1c00239b74d3983984354

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
540bf61e00ea3c0b6eaa45814c11025a

SHA1
6bc63ee79b7cdb9330b9c8262888c3dae6b9885f

SHA256
11bc8194feb116f6236c885815489cced6d7328ce4bb1ddc6cc7aad0520d41fe

SHA512
18dd5547bf89b9eb0d1f35cd4d96a849d336f482a175e442cccea757b2c99e72997d3d8584040c3024fbdbcd866d59b2e842e710811274ea20e2ff46d79977e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
5e91b1a6fa447028ffc4961404398485

SHA1
31cce193c250fc2e204dc08e0e3c3dac7e36dc2b

SHA256
1c3effb643be2d6ed8afc6557601893d4ca98058f03fda8ccd022b869c959ed9

SHA512
17a97eff172d0a0a71182520ab76bd1f5bbdea54169c3dc55f122e0f7c99ee28f0f409f77d9a6078b84ae92724f8ff2c86d9d48e1e2f626a8f291f7f50f74b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
memory/1988-89-0x0000000000830000-0x00000000008CE000-memory.dmp

Filesize
632KB

Download
memory/2288-88-0x0000000000830000-0x00000000008CE000-memory.dmp

Filesize
632KB

Download
memory/2288-0-0x0000000000830000-0x00000000008CE000-memory.dmp

Filesize
632KB

Download