13386916b2957099a92fefa8fb8307f39575a78b2a6770f9291dfe9e5033e2e7

Analysis

max time kernel
145s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
Size

273KB
MD5

0dad3d73d9e47476bd55e2b1cf104fc7
SHA1

1f5ccb8c2e7dc8d8851cb8bfd5977a0eaf0f6188
SHA256

13386916b2957099a92fefa8fb8307f39575a78b2a6770f9291dfe9e5033e2e7
SHA512

278c07874d73832da135ef3e45ebd35878d3d183d2d226a9cc5ba814c190a91e6ec67dd62accf215dc5c0af9d1671e30d75408602b69ea1028be5aa4e64115ed
SSDEEP

6144:b4qMZvK7bFvMnxQf+2VoxWnGKT1xwTi6Aw66G:n0qBvcqfdVos4TLLTG

Score

8^/10

persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b5b-2.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
4356	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
4356	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
1196	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
1196	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2700	sc.exe
3164	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ndfapi.dll,-40001 = "Windows Network Diagnostics"	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4356	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
1196	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 1928	4356	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe	84
PID 4356 wrote to memory of 1928	4356	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe	84
PID 4356 wrote to memory of 1928	4356	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe	84
PID 1928 wrote to memory of 2700	1928	cmd.exe	86
PID 1928 wrote to memory of 2700	1928	cmd.exe	86
PID 1928 wrote to memory of 2700	1928	cmd.exe	86
PID 1928 wrote to memory of 3164	1928	cmd.exe	87
PID 1928 wrote to memory of 3164	1928	cmd.exe	87
PID 1928 wrote to memory of 3164	1928	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "sc create "0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118" binPath= "C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe" start= auto && sc start "0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\sc.exe
    sc create "0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118" binPath= "C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:2700
- - C:\Windows\SysWOW64\sc.exe
    sc start "0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118"
    3⤵
    - Launches sc.exe
    PID:3164

C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bgi3C0F.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/1196-8-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1196-14-0x00000000005A0000-0x0000000000613000-memory.dmp

Filesize
460KB

Download
memory/1196-19-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1196-31-0x00000000005A0000-0x0000000000613000-memory.dmp

Filesize
460KB

Download
memory/4356-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4356-6-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/4356-15-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/4356-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download