99bf6f64e15dbe112a2d390b9b7d7ff1401e6db51fe09ac305301c9763212f0f

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

162b192c9b181788e535b97a83f2b136_JaffaCakes118.exe
Size

9.1MB
MD5

162b192c9b181788e535b97a83f2b136
SHA1

f4f9806e7fe031eaeff6bc72cfb383755f2a25d0
SHA256

99bf6f64e15dbe112a2d390b9b7d7ff1401e6db51fe09ac305301c9763212f0f
SHA512

5c845b534f943d01ba439f79f19c4f9969b1628b4998287cdc3e9bcf5e79d969e10aeb365b14dfc5c5809bce61bed71173389c3a95ef09aae49ab8753e3d0d92
SSDEEP

196608:XcVk63bpHFuqajsjap5hx/JIqUX0qonL8UpUWiHoZyEAZ+FcAjoSZV:XcVP3bpHFFajmaLhpz/qUL8UpUWiHowS

Score

8^/10

execution

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	162b192c9b181788e535b97a83f2b136_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	7za.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
8	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3708	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2184	7za.exe
Token: 35	2184	7za.exe
Token: SeSecurityPrivilege	2184	7za.exe
Token: SeSecurityPrivilege	2184	7za.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 3552	1292	162b192c9b181788e535b97a83f2b136_JaffaCakes118.exe	82
PID 1292 wrote to memory of 3552	1292	162b192c9b181788e535b97a83f2b136_JaffaCakes118.exe	82
PID 1292 wrote to memory of 3552	1292	162b192c9b181788e535b97a83f2b136_JaffaCakes118.exe	82
PID 1292 wrote to memory of 3784	1292	162b192c9b181788e535b97a83f2b136_JaffaCakes118.exe	85
PID 1292 wrote to memory of 3784	1292	162b192c9b181788e535b97a83f2b136_JaffaCakes118.exe	85
PID 1292 wrote to memory of 3784	1292	162b192c9b181788e535b97a83f2b136_JaffaCakes118.exe	85
PID 3784 wrote to memory of 2920	3784	wscript.exe	93
PID 3784 wrote to memory of 2920	3784	wscript.exe	93
PID 3784 wrote to memory of 2920	3784	wscript.exe	93
PID 3784 wrote to memory of 2184	3784	wscript.exe	95
PID 3784 wrote to memory of 2184	3784	wscript.exe	95
PID 3784 wrote to memory of 2184	3784	wscript.exe	95
PID 3784 wrote to memory of 1256	3784	wscript.exe	99
PID 3784 wrote to memory of 1256	3784	wscript.exe	99
PID 3784 wrote to memory of 1256	3784	wscript.exe	99
PID 3784 wrote to memory of 1120	3784	wscript.exe	101
PID 3784 wrote to memory of 1120	3784	wscript.exe	101
PID 3784 wrote to memory of 1120	3784	wscript.exe	101
PID 3784 wrote to memory of 2740	3784	wscript.exe	103
PID 3784 wrote to memory of 2740	3784	wscript.exe	103
PID 3784 wrote to memory of 2740	3784	wscript.exe	103
PID 3784 wrote to memory of 1232	3784	wscript.exe	105
PID 3784 wrote to memory of 1232	3784	wscript.exe	105
PID 3784 wrote to memory of 1232	3784	wscript.exe	105
PID 1232 wrote to memory of 3708	1232	cmd.exe	107
PID 1232 wrote to memory of 3708	1232	cmd.exe	107
PID 1232 wrote to memory of 3708	1232	cmd.exe	107
PID 3784 wrote to memory of 8	3784	wscript.exe	109
PID 3784 wrote to memory of 8	3784	wscript.exe	109
PID 3784 wrote to memory of 8	3784	wscript.exe	109

C:\Users\Admin\AppData\Local\Temp\162b192c9b181788e535b97a83f2b136_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\162b192c9b181788e535b97a83f2b136_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo hi
  2⤵
  PID:3552
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" C:\\ProgramData\\qtcdueitdt.js
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rd /S/Q C:\ProgramData\qe7vq3
    3⤵
    PID:2920
- - C:\ProgramData\owftg\7za.exe
    "C:\ProgramData\owftg\7za.exe" e C:\ProgramData\0nrh9z.zip -pvkd -y -oC:\ProgramData\qe7vq3
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move /Y "C:\ProgramData\qe7vq3" "C:\ProgramData\VkontakteDJ"
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Delete /TN VK_DJ /F
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /S/Q C:\ProgramData\0nrh9z.zip
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1
      4⤵
      Runs ping.exe
      PID:3708
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN VKDJ /SC ONLOGON /TR "C:\ProgramData\VkontakteDJ\VKontakteDJ.exe /H" /F /DELAY 0001:00 /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\0nrh9z.zip

Filesize
4.4MB

MD5
12e553d3c615ca60822c698d3e96fd2c

SHA1
c2e68f5142a64f4dc77ac97f0fa14ecab98adc47

SHA256
f5b228b07028075bed86622e0a32c914cbf5f8e7d91e94aa29d69b619aee5b24

SHA512
7e25bce9eab5c556d1304269b0bb19d7d7871842a7cf43ebddd1cee045895adfc677b278007be61e55d86a2b5d2d5e266ff0488fcd79e461401066ac5b1b7850

Download Submit
C:\ProgramData\VkontakteDJ\VKontakteDJ.exe

Filesize
6.6MB

MD5
8025e5ef219fe94e9ab891fbddd5712d

SHA1
7d8ad730901de3818aed43db9a9f218908f79fc2

SHA256
923991291fc290cf936195a6375ed5d059c5ea67d2dddcf8ed2dd5cab5bc6b76

SHA512
3ef8d176576c5997d9ac4ebdc8dc51ea6be7de8bba1220b862479c0f05eb161ffa392e306f3572ca2858c2bff904b9c20e8252cd0b50b0b64aa19a52a10a5c25

Download Submit
C:\ProgramData\VkontakteDJ\uninstall.exe

Filesize
490KB

MD5
e127107063431e8186811bac98ad0b6e

SHA1
27a508f87621792f102ed1d97e7689801132c13f

SHA256
c04672f2cdcba81fb8a6d9a0e47b3f28605e3b020c8dc37657f932c7d981dad9

SHA512
c88edce031d5d73a4f443dc31e2d204f650f876ad2fa517d3e47581fa48cdc93afbb4941bdc6f0b44060d209d59406bd855feadf0b18de30f27c3d61580b0661

Download Submit
C:\ProgramData\owftg\7za.exe

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\ProgramData\qtcdueitdt.js

Filesize
4KB

MD5
32ebed61c8f61c18b2383cb9511588a6

SHA1
1ea5052c738780000cbf9f6409069c289573f4ab

SHA256
a861e6d41cb838f1d90503b1d7858b26c81f43ef8beb5584a23345505dc82862

SHA512
050018c531aefaf66b937011d10519d9b7176e66d03f15f1d053be36b8560f18be01fb0a307452c592c193cfb6e81cbea90707007cd32522f9d39a0c07f64c3d

Download Submit
memory/1292-0-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/1292-31-0x0000000000400000-0x0000000000D32000-memory.dmp

Filesize
9.2MB

Download
memory/1292-33-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads