89a40d4d8ea681fd68a37a6ba2493d71a56664f49bb7f555ce968ed106691cfe

Analysis

max time kernel
67s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05755f2fbe3921794c5798002e928106_JaffaCakes118.exe
Size

2.2MB
MD5

05755f2fbe3921794c5798002e928106
SHA1

468905bc76578d103720704aa6b75d3201d55316
SHA256

89a40d4d8ea681fd68a37a6ba2493d71a56664f49bb7f555ce968ed106691cfe
SHA512

6471620458adf5022a7d9f66052e8986b847c735ea34823b8e28dc278ac29397f7c6ccd6ad359f257c76e4755d0c32609a0a75d12c8f25c49d0d60f0ab086025
SSDEEP

24576:h1OYdaO1qU2Uzf5uilCfBJysWSHMDBXEZc78KU88SShrFzcS:h1OsDqBI5uilCfBev6hrB9

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	TNtwEYyldhPrKjp.exe

Executes dropped EXE 2 IoCs

pid	Process
4692	TNtwEYyldhPrKjp.exe
1428	TNtwEYyldhPrKjp.exe

Loads dropped DLL 1 IoCs

pid	Process
1428	TNtwEYyldhPrKjp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\SystemFileAssociations\.aHTML\shell	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	TNtwEYyldhPrKjp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	TNtwEYyldhPrKjp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XJNEFI.tmp\\TNtwEYyldhPrKjp.exe\" target \".\\\" bits downExt"	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.aHTML\OpenWithProgids	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\SystemFileAssociations	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\SystemFileAssociations\.aHTML	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\__aHTML\shell\Edit	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\__aHTML\shell\Edit\command	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\__aHTML\shell\Edit\ddeexec	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.aHTML	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\__aHTML\shell	TNtwEYyldhPrKjp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XJNEFI.tmp\\TNtwEYyldhPrKjp.exe\" target \".\\\" bits downExt"	TNtwEYyldhPrKjp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.aHTML\ = "__aHTML"	TNtwEYyldhPrKjp.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\__aHTML	TNtwEYyldhPrKjp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\__aHTML\shell\Edit\command\ = "Notepad.exe"	TNtwEYyldhPrKjp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.aHTML\OpenWithProgids\__aHTML	TNtwEYyldhPrKjp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1428	TNtwEYyldhPrKjp.exe
1428	TNtwEYyldhPrKjp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	TNtwEYyldhPrKjp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4692	4036	05755f2fbe3921794c5798002e928106_JaffaCakes118.exe	83
PID 4036 wrote to memory of 4692	4036	05755f2fbe3921794c5798002e928106_JaffaCakes118.exe	83
PID 4036 wrote to memory of 4692	4036	05755f2fbe3921794c5798002e928106_JaffaCakes118.exe	83
PID 4692 wrote to memory of 1428	4692	TNtwEYyldhPrKjp.exe	84
PID 4692 wrote to memory of 1428	4692	TNtwEYyldhPrKjp.exe	84
PID 4692 wrote to memory of 1428	4692	TNtwEYyldhPrKjp.exe	84
PID 1428 wrote to memory of 2792	1428	TNtwEYyldhPrKjp.exe	85
PID 1428 wrote to memory of 2792	1428	TNtwEYyldhPrKjp.exe	85
PID 1428 wrote to memory of 2792	1428	TNtwEYyldhPrKjp.exe	85

C:\Users\Admin\AppData\Local\Temp\05755f2fbe3921794c5798002e928106_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05755f2fbe3921794c5798002e928106_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\TNtwEYyldhPrKjp.exe
  .\TNtwEYyldhPrKjp.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\XJNEFI.tmp\TNtwEYyldhPrKjp.exe
    "C:\Users\Admin\AppData\Local\Temp\XJNEFI.tmp\TNtwEYyldhPrKjp.exe" target ".\" bits downExt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s ".\\OafUY18i9eiMMt.x64.dll"
      4⤵
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\OafUY18i9eiMMt.dll

Filesize
863KB

MD5
9d5a25aa07c44e8566f8dc4b03604eee

SHA1
ac988b361ad609a5d5beb762939054a4e15bae58

SHA256
467cc8c344e52f19db31116d3d7f848e718d58fadfb17e8a09e744443f3e5acf

SHA512
4d1a9a67c58e1bbe52557a9195d59ff409549c95f204008ef6515d7661e4326027b3b682166bb4e3e911b7ec211b3cadc0f3eafefcae1c2c2ad591424a5c2272

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\OafUY18i9eiMMt.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\OafUY18i9eiMMt.x64.dll

Filesize
945KB

MD5
deb677510b0f7890a8e4ebe911acd7b1

SHA1
fb80781261797adca5bcd935129b06f2cb4e78a0

SHA256
c9ddf7e9afb69f0603f270b9ad77a582863b32934277edb1fb113e378a7d36a6

SHA512
d163ac594242a14a24ed6623a016e88c9c96a7db190f1b9652251da83c89dd5b3e7bd7eead1b3f4913729015467a0a2d35f3141f3d3d3856d695843e8091e34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\TNtwEYyldhPrKjp.dat

Filesize
14KB

MD5
66d2ecc9296b14976a8f911976e5e01e

SHA1
c84248871c81438e8633179e35d37fd050e821c9

SHA256
37762e8a9b7e0a4cd16df9d0a55eb4e55efceec1b47dd80d65ef893a4492a499

SHA512
e03023257c8ee2400e46a2592d846e892010ab5d95b7d1dd0923f3e86eb6e713fbb2e3d71abec7f5db4762e4da4a6d05942c92535a72b2096f1d1feaa852b7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\TNtwEYyldhPrKjp.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\oenfoiaddnbebhcjkljpilemjiiiocgl\background.html

Filesize
142B

MD5
ca31ff9f902b37346c4647bcd55df871

SHA1
b4a5b527e4cefea06c386930e834d297da6a3c82

SHA256
bb2a2968d8f46b3da5cef944d20ecfd15c81e0d1ed6f2e9b0fc5ed95f0829949

SHA512
1e4d309fa6a399b296c8d5c4224180684c05c2277b5eef21f2e8fd85b6f3e5de6e2bd8f340cc73fb59de0d94cb323f867253dc04162775eaac32b8f8f1adbb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\oenfoiaddnbebhcjkljpilemjiiiocgl\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\oenfoiaddnbebhcjkljpilemjiiiocgl\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\oenfoiaddnbebhcjkljpilemjiiiocgl\manifest.json

Filesize
504B

MD5
ae1dcb0335a420615c02ee52f0cf12b1

SHA1
57313d6d26d01811d52b8d594944708b0a8de0f8

SHA256
aeda2bde3795b11f9ef3eb860a879a2244008412d8cdc8f4ff3f3a8f19abc100

SHA512
3ef87679c10d98ababba16bd98b8e6f3d87807bace74f1951f47b279281a0d40a79ce6a29f1e83c74afa70a099a69bf2ea46b0350efcf77b704d9514695fa089

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\oenfoiaddnbebhcjkljpilemjiiiocgl\tyZ7Y.js

Filesize
6KB

MD5
465b33f9910596be17eea008d1049c57

SHA1
57e2718b3ceb57c807df0d9ce905f54eb6338c23

SHA256
30e8b215e5bc55b491ec3c78b1ad7559184c09ac900e1ba90b20083cbfb3b58b

SHA512
e00c919c595d90dcadccb9e5acca8bfbd77d75fa4daf33e5afcc4939910302461527ad4eafb96e4dccf67c0071d265714576e7f1f6674a8ec72d09c94719dfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
e8dd2c0237553b0ba046e6b37bcff32c

SHA1
550a5737eb91d1a5e8c12cb759d93d26600dcc91

SHA256
7bc1d363b4985cbc48b5783fd457ef6578146c1fa0cdf5aab446c36aa4b58448

SHA512
796118b41830de5f6b8d5b83772f5d4e76269b8a11e525d96406825410e6f6b4fa01a521dec6e7470e9563949606ee0081e918e512c33f4471e90c6920799d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
e0dacddd54d0a23c5ff18d769fbe4f76

SHA1
c1e8214c5cf8aaef393577cc6b7300e13abea8cf

SHA256
92491e0419ce80b4d9ab5b7c3e76578a1a957165103ccb6fa6238ce58b2f6b75

SHA512
0bc8c6168cc5df4477287a96dea020c1a6425c05257f86ebd08c6b8c67d7b44ab4daf4c8491273ef13c853472a54c77bc607e20007eb2cfa017105a5fe0e6d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4650.tmp\[email protected]\install.rdf

Filesize
600B

MD5
f4277da227e9a4f5420486f7d39acd5f

SHA1
a0b47113d0200adef1da6ce6ce2c4d4a31635032

SHA256
66d4ed36a8758569c40aff5c268a6f5f555a8ef9fe1a84dd5fb83315b991f0f3

SHA512
0de2ebaaba6010525ae4adf8ac209bb89ea8d88cc24d0c4a553f4749649f370bd91c1a56a9d7179b58e43b1f6eb9f85d12decfcac37423acfcd33f01eb91bfcd

Download Submit