bb992169cca5d87708f687c762b6d617c722784abb9a1e00674c28a20255faed

Analysis

max time kernel
141s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222cc5f4cb248f54e2a7b4536a890868_JaffaCakes118.exe
Size

227KB
MD5

222cc5f4cb248f54e2a7b4536a890868
SHA1

567b687e8e29afa61c519bb60acb5be8989cfa6b
SHA256

bb992169cca5d87708f687c762b6d617c722784abb9a1e00674c28a20255faed
SHA512

71de41903af25871a6e8dc07cd3f3c2456f401078381921e2cec46cfbb1812de7bf5ecd68e86c2498de857d3375760e9e247c1cb2c81f4589a8685101bca928d
SSDEEP

6144:cp4wdZ3t4A6M2kwp+E4tEZw7BkJgSoS3Vm/:cp4wj3t9B7wp+1+w7NSoS3q

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	222cc5f4cb248f54e2a7b4536a890868_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/452-0-0x0000000000860000-0x00000000008FE000-memory.dmp	upx
behavioral2/memory/2036-45-0x0000000000860000-0x00000000008FE000-memory.dmp	upx
behavioral2/memory/452-169-0x0000000000860000-0x00000000008FE000-memory.dmp	upx
behavioral2/memory/2036-194-0x0000000000860000-0x00000000008FE000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_uk.rtf	222CC5~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	222CC5~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	222CC5~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	222CC5~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2928	452	222cc5f4cb248f54e2a7b4536a890868_JaffaCakes118.exe	83
PID 452 wrote to memory of 2928	452	222cc5f4cb248f54e2a7b4536a890868_JaffaCakes118.exe	83
PID 452 wrote to memory of 2928	452	222cc5f4cb248f54e2a7b4536a890868_JaffaCakes118.exe	83
PID 452 wrote to memory of 2036	452	222cc5f4cb248f54e2a7b4536a890868_JaffaCakes118.exe	86
PID 452 wrote to memory of 2036	452	222cc5f4cb248f54e2a7b4536a890868_JaffaCakes118.exe	86
PID 452 wrote to memory of 2036	452	222cc5f4cb248f54e2a7b4536a890868_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\222cc5f4cb248f54e2a7b4536a890868_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\222cc5f4cb248f54e2a7b4536a890868_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\222CC5~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\222CC5~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
6539731270cf9632c8778120bc772daf

SHA1
57f7816035938ceb288817863fc29e17cc509791

SHA256
1ec5a3cc7c63b6ba833ced04d08bcbc6e7ab3dcf1851cfea2a18612c139f5179

SHA512
5710f46fb57eddcd8ceced7c2869f4891dbbe7b16e12d224adb9a5f2f08002084eea6427dd8c61a15b261ca9eb881523b44725eae0c4ad07664ad8ad52cdd2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
4328e4493a63286eae8051f8d3d0e032

SHA1
6987388f3ee226119183ef60356a3532db3c59c0

SHA256
bedfff85283713df0f0660f3fb0defd1ddfda6e6191d93e0cb985db0b5523ca1

SHA512
17a017f5f9d866b2c976309f5e265dad641edfb58cb6eb1489d108c105ecfeb202c330747b281a700978e260dc794ee590fb85f0a7b62294c6817280e68f76c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
1c3ab1879f731525bb3743bd08269971

SHA1
2cb03d5d96b061c943e80db0fcfa913b96903f2e

SHA256
398499bb28db1e966cd7000c57287b9a20ceeff5cee5999b71babe0d756a6657

SHA512
ecbffcac544429e8648fb85c1ef01153b93ae9da5de0f24995e2d816a834d785cb9bb9a13f8c587303f3d3b0808e49be878119aa72254fc5d237c51e731899d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
eedae8866c533f781721523d8508ccae

SHA1
68492c16037e6115b206bce52fd23b682505ac3d

SHA256
0c4851c72d529717f5ec5849571198e30fdf5bc774380cc9cd962d22f436ff74

SHA512
a12c089620de0b6541a9c6241c6a85a0957c57ed255da04cb1ca5d281e51a9f180f93662b5d08ecd0e6a6616317b26b89bcadfe990f658bf3c0e6938b1c16cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
60823c6d091e493c30042cfe409166c4

SHA1
7455700353bb7c74c4cd9c53bfd0b0292d13831e

SHA256
3de8f8169b1d8986e309930be4119b51c057c2c51cd34d402915abee15e64fd8

SHA512
f0847c2b56ea970e0b065d5c807fa24246db24acfd3366573338988559d545e08c13d502d0ce1de71c7794ac99202cf1c2de9feba7a3b4498bf0f629d236e42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
cefe068b6503480d2484c6efaefed21d

SHA1
a09184427b5ec3a733214eb34e5d21a6926a3a57

SHA256
66fae452bd0b5f842b4a941bae29d401de9c39dd7e55ac58146635f3d5dd6460

SHA512
23e1c7c6ad46441a7ad571f1b67ddcea078a2460f56ce17c1612dbaef1738b302a0abada6aefdedb69f8297e752c6cfa2616a5f9bc6188ca7d95271a080d411b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
266536bc3f146d50b1b6b99a1d297024

SHA1
4bf5f6f62ec792ee414f167587045e487ccc81d6

SHA256
3729eec343d10d1c7339472823b8b64b45025f9feec3368f32eb88424ba04ad9

SHA512
4a97db1a25c12317c7997522770cb7a22e32d7a331cbb82496c7cfc8f7374ff9c576a94d058c846f36e9a9f95e84862247231f35db7d6fe0c6b4ec275b87d34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
840f21491390d728fbc95b9bc575009d

SHA1
48caf52a437c137d3b64b0c6565cf62de18db955

SHA256
f19bf4ce047a833de9725e2a3d90457f3de714377a52ba11e61be513d43ee9bb

SHA512
533b858fb1dab1216aa935447c4a2ed7c0f0336eb0e0c157d204f66c677fc19f2b658aefc2df52765df741f73fa588fadabf766e72fef354b461a240f6633d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
a3a85f3e22518368f42e8f1fb59b56e6

SHA1
764f424b3059baa193e1fd76139bfabb1b9b9891

SHA256
f898b58fa22de3c2a361e734a885832e618a73cb4a67f1f312a67dc723fe576a

SHA512
1fdcd6febc99b05fac0293faa7d3490ac1550dadaddc5b5003a739e8aed18c252dc3d201550e3307034fffcab11ace9c56ed26e55886e97956c3808d6f5a022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
a7e397b2ff7e8272476393acef7bc628

SHA1
f0cb622672b07a82ad41b3fdc45f407fde1dd268

SHA256
108a023c4e6b34468d5f1ccb4f570e42ded1348ae69bc3d1cfc083966038c34a

SHA512
37e733cff679308891bce5bc99cdccbd554a8e541a855eac89475490ea16baf7339bfa0b7283f54391b8406ac38e87fe270c7b67d65e1b726cf488280f171340

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
be351086516aef25517bb31d5fe369d7

SHA1
7f19e6810e34f45945cad4b4e1661d63ffd296a3

SHA256
83c42f240fe2969ce4fda0714268d1db8f0887e809f2b828484b6a6825afcafc

SHA512
17507aa2c22f11f3f14189e3591331034d903f999dbb6e7b80e066211101e24e32702743045cf3656311428c119f273b883bcb4deaa09aa81d957ab5f5538bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
2a5316e09df86c2cba6690327b5f93ae

SHA1
ba6097ec4b43e13e7e12960f56a5fc3c65200d5f

SHA256
938272fa24f29f1b51837c3073f1346f30a5b6b5ad5151421192c6dba9170eb2

SHA512
93067f2a275889f44071aa71b88b04b3efa405f299461640c3a1c35f6c3459478075e0764339f24a86cec41388e0be79e562fd1b65b1a4606aaaadacf0c7747f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
807f4ddbcc41f7000e7c809bec8a9d41

SHA1
5ac531f59b87593dc7c082b507d2c85b9b32a97e

SHA256
2ac684dda4589e4a4c82d844aa6048169d693ef5fab2b5a8dddc6091a73297ab

SHA512
93312dd5b833eb49b59e011358d63328264c81cdcefa83dd18f05e7095397b4aed5ec3f42d67874f9dae9adacb05e3a79c72f69c4d05db0be66bdfc31a355c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
669B

MD5
f0ac84f0b907a60629f380ab47d8a04a

SHA1
8441aa6cfec4285cc3e6b69b8dd13699ddb316b7

SHA256
c36475a2f2b516145127fd53052460d4207fb489247e24ab60aa4dec66f11d45

SHA512
644762c77bf3018434fe98f3206240b2f56e2df23938c22cc7212ad4282ebe3eae6e2591ab1a176fbb9dfee3fb143684d554332a51a4afe068e740ad2dd08f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zon38F3.tmp

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133595977141840472javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/452-0-0x0000000000860000-0x00000000008FE000-memory.dmp

Filesize
632KB

Download
memory/452-169-0x0000000000860000-0x00000000008FE000-memory.dmp

Filesize
632KB

Download
memory/2036-45-0x0000000000860000-0x00000000008FE000-memory.dmp

Filesize
632KB

Download
memory/2036-194-0x0000000000860000-0x00000000008FE000-memory.dmp

Filesize
632KB

Download