20cac668826046b1891754630ec34e11f4b333ac8b4484f50cbf4b980544d6d5

Analysis

max time kernel
141s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe
Size

227KB
MD5

1f4c1108029ec8522f744da4f61b3772
SHA1

e07edce9945340015f54e96eb3cb6536cb023b3b
SHA256

20cac668826046b1891754630ec34e11f4b333ac8b4484f50cbf4b980544d6d5
SHA512

ebd08ecb26c3fdbe45884f2a2680cc093d673e074d22aab4b07b6b39182bfe503cc2672a1e547851218d3c2baeac30a5ecea9ebc4adcb9c06ba119bf7a9066ca
SSDEEP

6144:iifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRV2r:1fk6kDqHw2hmxlrz2HoSR2

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3952-2-0x0000000000AE0000-0x0000000000B7E000-memory.dmp	upx
behavioral2/memory/2856-45-0x0000000000AE0000-0x0000000000B7E000-memory.dmp	upx
behavioral2/memory/3952-164-0x0000000000AE0000-0x0000000000B7E000-memory.dmp	upx
behavioral2/memory/2856-189-0x0000000000AE0000-0x0000000000B7E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\utils.jar	1F4C11~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	1F4C11~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	1F4C11~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	1F4C11~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4436	3952	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	83
PID 3952 wrote to memory of 4436	3952	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	83
PID 3952 wrote to memory of 4436	3952	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	83
PID 3952 wrote to memory of 2856	3952	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	86
PID 3952 wrote to memory of 2856	3952	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	86
PID 3952 wrote to memory of 2856	3952	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:4436
- C:\Users\Admin\AppData\Local\Temp\1F4C11~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\1F4C11~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
617c2d5d325d3f97b34f63132a7c809c

SHA1
a6a8a8c02f3d70750e1938fb0ab2b6254bc14127

SHA256
4641399e0c898f329c3850a8e149c251a689395c72142340bfd497f44fb5e020

SHA512
e9737555ceb8e063609ce6fdf4e740fb6977dc46a299d07de0e3232f7e2f9b63cd96b9e765d29ed5d2403c6775d42bfe2a7eacacbe08e128811b123418dc14e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
f920a8b05348d6fdd56aa5981792ded2

SHA1
6034066c8e2bceb57064ece4c52183826cddafc8

SHA256
b6bbe769ec9d1ad7b9979025a38d53e48d3e02dc6496ffdb78dcd1f05ca1c703

SHA512
8af3dfdc291e1ff288d53430f7496d91830c58c2353a9cb024b08d39d1ca5e1165422c5af140692bdf4362c0c7bda4b919f4917159c0d61b76ece10c9fc3f584

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
0d43cec4038ab3e6c28f212d5d0d0c12

SHA1
fd8ccf51bc433b1ccc8552b720043b961fbba5fd

SHA256
209773fa432f4cc9d836726ec2290f7114a9527a1efbfda71467549c54fda1bb

SHA512
9f49b8fa88bb4cb0432a1ba0904f0096131ef731150693d15889ab6d8326c29efc45b19c89c7606551ee968120b51cba9a56e071ae15004e9883bf3f5115b6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
e12c566dac65c3569ef5cc6143f22a81

SHA1
8627ceac671333df6a88eac86199db7e0d9a9302

SHA256
a15c32f9d85919547ecfc7dfbbb0d51faa5e96a42f9734f43fb7c2cb53f93c82

SHA512
5d918f4b8ef1496e0d677c041e905ce8335f19f85050a01d687e55de69aeb0b98e5db9c765a941f6a0bc5c9a47a98ba78d244ad125b107c1f8665f24cc3a5e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
7d9c1392a32013edc0d65b2eedc4d4a9

SHA1
e1a811b8d3848469f7bfe6fe8f2dc18917e847c1

SHA256
f06953c7fed55e11b62292cb938e4275d35c7e0801ed54e8ac898a3eb51d517e

SHA512
fe0ccf52e011cf0943645533e98e3f6483ae4ef6542882c06f566649f875b237e2bed6aee3c575f69e8a073436577cc0605d36e64d8ec4d886828f16f13eff03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
536ba5ee70a6991c3aae0f85b35b4548

SHA1
912fd970598f46265a89399838fd4d19b64ac4b8

SHA256
04267418b9ca9fb58f73cdd48af5e7be7aa4a7fce63a33b0b72fc12b55a9ccb8

SHA512
e3661cde14445d90c111a9419bcbcfd21c41209fb7887a051e22f5e2d163ea64861664089dbe541b578f4076552051c8e5f06ed9a09f75c5db244f44d42af8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
2b0db36689034aad160cd171f9c9fe1d

SHA1
878eafb23d6ab581234bc00cd424beb31246c345

SHA256
acacb2b96084f37b14365ff8bd6b24ab713205061014df07adabc89479e6c714

SHA512
56c83eda0a4e198cb4095500c6074d7a4c55f5883bba6725e8695026a4c213fd7a3cffb3feeba96d0b01d9c0c690260a88eb9865d388d54febf6b1e2f1d932b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
26a268c97be6c9e78341cfec82d25fe2

SHA1
caee4422d6d4af24ada47dbef246649671264b27

SHA256
d783ee6f122d0efead4841926f25ba4184ea3e1557fa86fdc826c8e21a5e3637

SHA512
9969035b5180662c90db2dc78587ee58f441460cc3406cb254c0dce08d7f23e418415ef9199bd1f2e5b1293f6959d21a4fae5b92e3cdf106842461756d95f254

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
50858e40b931ea84897a96495fe1aa8b

SHA1
8d444f17f3d28bd2651acb57bfb0889035305878

SHA256
6d7c462876251e903f8efee8b46d5f7b64e2dfae1d2de1e173173ad766a5bfee

SHA512
bf47b820bd1f1ad7c6fb133b085435bf78d3d2582f11e8c0beb16292a6950f246f31966c840c8cb497ec121efd1e041557e00162c9368fcef0e32ba66c8de9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
0865ea1079f1184b8baf456232f89c43

SHA1
af2e15d6ea6ca8043c951e062bcd507c9b408492

SHA256
7b9fd54034ea41893ee3f83017d2a16f10ef3edd4e3526a5a14e9e4d2a277f9b

SHA512
4fe15631cf90beef7b8605600a8dfe8548c49b1d243a578818b4a855a1cf3a848af12b9b60fb52a972c7b3fe28815f56e91cb7a1ca8ef654874b1be341290451

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
3KB

MD5
bc164eb167ef8211bbc53de5d63795b2

SHA1
9a0f0fa3177268d5096593be42be4770d422c147

SHA256
a8fe08f88512681b37863d1b2624bf16eb11d8102b5454054cc5190d37f64044

SHA512
9c2c36ee538cbc71b2f4c7f0a139d7ede82472ff10d15d88ac3138257bd90dbaac0eaaab55f141ce52b2f995b3e1b313445965dea217a2f43db4b1e2bc1be8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
4c71178ecb94705b744835503e44c16b

SHA1
a275fcb5523541c5e9415380a6c03297bf0b58d7

SHA256
94a346e464d4ae920a1d48ca92f01bc297b1d1da98e546d094c2468797359a68

SHA512
49c27a65e8442c50e7eeb740c8db8d457ef0d9b2082d34f7424c12cf0e27f8e21bb04909b644be2157165aa92ec1e700412598c2396e55fd9df240ea3df89ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
fc0ccd86ff03cc0ab01882a7fedcc9bd

SHA1
38ee1e15296b24fedc070670706066b221285923

SHA256
33d5a91c32559c9c7309c54a55c9bf7490684cadcca35c9598c79918fc9ee0c1

SHA512
5c8a0571fc2f2abea928c251d06b5fd3e22c11dffdd9d2ab2031a585351a2c3191cf38ff0de702f00f800531e0c2190528c63675b3683a727bbe4fff6f01f950

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
4c5897fe37dd150a43d5040fe52ceccf

SHA1
3856e94ca4eddffd79cd71e3574391803b6967f6

SHA256
2ff5aaf93eee92275ebecc89e1b0deb8e8dbca8902062d73c62ce17683380fc6

SHA512
264445b6402801f80462403b5116aefafc22fc9e1344bce48ac2c4c9f1af46835730ae1b4dfdf6bf71d3b50925661d7ba31ab9109a4f492fac68530a2ef9d39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
d9a473c53e63543f828e1997b45ea52d

SHA1
2427c73b1a725d52e115592cf32f0304bd5f51b4

SHA256
307c8a526ed84478fdd5a9d18c7b46ffa1a8d339f82e8c1d1c1d35c23667a217

SHA512
a90e11e9940ecce2bd2141b34b2bd43cc3a83216753d5a5c0c73278ddb6531e3b3d652b6bff8ed8a4b0aeb50267744823d56f75583fd020a3613c414404c8ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
1KB

MD5
5a5d0d4d0f4ba724a2a7a8c9ba3d4a46

SHA1
7abd7713cca32cb7d54e003b1bddf7bfae6297b6

SHA256
f65ccb865d6c02bc3ca22fc2447681e9cfbe40683009fe21de294b517719dbb2

SHA512
c4abf644d4a62a12c752e06b4cfbb436ddfa03013db000ab9a0734d7fc7e394995d47d4a557b470e659cb80694fee2a140d7381df14901db2d8f2bd2c13efe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
777ce88738e18acf5eeab6ea74e61985

SHA1
b717066ce3b36db2b06240ef682e38c2e75686f3

SHA256
25a8593eb3b81b111d8b339441b4598d741155af4173a00d0c2eeb49361897aa

SHA512
bf53f9425d5a1fe4c1aca77c5d0386888d4b014f52ee96231a31981e4f5506e899967806a738b6f3636a460e27bb23ed8035017bffbf6ff3f6daebdf8876e0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133595259750072409javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/2856-45-0x0000000000AE0000-0x0000000000B7E000-memory.dmp

Filesize
632KB

Download
memory/2856-189-0x0000000000AE0000-0x0000000000B7E000-memory.dmp

Filesize
632KB

Download
memory/3952-2-0x0000000000AE0000-0x0000000000B7E000-memory.dmp

Filesize
632KB

Download
memory/3952-164-0x0000000000AE0000-0x0000000000B7E000-memory.dmp

Filesize
632KB

Download