b9df272c2e6a4c4c0f09b61eb770648403c8f736ee513e0e8910a19f5bbad5f8

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe
Size

227KB
MD5

315d8dc501e042bd528ece9a79447606
SHA1

a6e6b4adf6e7e43765ddad00d42db315bbfc2d49
SHA256

b9df272c2e6a4c4c0f09b61eb770648403c8f736ee513e0e8910a19f5bbad5f8
SHA512

1f1f433c3f1c0bfe3b037cf7382224d1fc6ee75d5c89d5e7fe3aa3745121147165457dd7bc52242c5e1f792cf77d9b03bbef01a21a57beda9bb3cb77d3896131
SSDEEP

6144:GsaocyLC0S8EKwcqLBpU3nofCqUajOBjypw:GtobzrEKZW9p6Vgw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	install.exe

Executes dropped EXE 2 IoCs

pid	Process
1668	install.exe
2860	inst.exe

Loads dropped DLL 1 IoCs

pid	Process
4428	315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	install.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	install.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	install.exe
File created	C:\Windows\assembly\Desktop.ini	install.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	install.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2860	inst.exe
2860	inst.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 1668	4428	315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe	82
PID 4428 wrote to memory of 1668	4428	315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe	82
PID 1668 wrote to memory of 2860	1668	install.exe	88
PID 1668 wrote to memory of 2860	1668	install.exe	88
PID 1668 wrote to memory of 2860	1668	install.exe	88

C:\Users\Admin\AppData\Local\Temp\315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\315d8dc501e042bd528ece9a79447606_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\nst424B.tmp\install.exe
  C:\Users\Admin\AppData\Local\Temp\nst424B.tmp\install.exe inst.exe /e5108185 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /aAtomixMP3 /dT201305101914
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\nst424B.tmp\inst.exe
    "C:\Users\Admin\AppData\Local\Temp\nst424B.tmp\inst.exe" /e5108185 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /aAtomixMP3 /dT201305101914
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
1KB

MD5
f7f6c43cbd2fe2990b6a2188f79d4807

SHA1
a5ed1028322e383d7b668705140486d52800d1e5

SHA256
1508fd6f7d6fde592f3f92636f04ccca8ee398da3f2718d1009d939cbf42a4aa

SHA512
51b0ce1ec2a2d3039b461a1790da8da72fcd2a584193e2b0b49b6dac3b38f97df19cc4fd3ea96e5533bfad5340c39952c8d5dfb6ff48a2163cd188c8dd02cb40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
604B

MD5
5a1ab1871c1dd0bbe715482943c74be6

SHA1
da4ce17e39abb581883120980f00a91cb029127c

SHA256
5fab31aa7540eaebb07d0315e540564b06d612b4b4eb3f2a645fd86a59e6b37c

SHA512
88d80e7ffc33aadb7e28363aad82f51e78bc09ef3ef193a7acb867c825bf633b04bb623796e699262c2f1b40f339bc5277b5520f17d87b2d1f6724288330545d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
412B

MD5
c486f1fb7c4e7caf1e3fbd45fdb48989

SHA1
f62eb8e2ac036d7d06a9ae0e6bccb9cdd5ab7210

SHA256
a9744535b1ffb3466aab502d4f93503aa4c182e9f108b3084b38c4d8a693827d

SHA512
f42a9959049a0a1c58ffb9fd992168529b1dc6e8bf3d21959447cdcb90cae0a2353b23f99065900aa5b2adf5a8be9b0114f811d87a5aa0ca9ff5d2645fe87f3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
188B

MD5
9bfd158dc07d5e0e8cf76784e75805b0

SHA1
441ce79880ceec00d9f9b09212b44f2a90c2fa5b

SHA256
64bcbb5572ec5a6ef25a107610b2ffa6b9931f1a217a1d91d7cc9b82a09adffb

SHA512
0d3023849516e622de013b0576d7c174db1a623d93132aaba9c3088a12a8d3be3ec8e1b13c632fdbfa2344198f5043dac884a21c2680075f5cc83a20239acf48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
404B

MD5
df1df2fd315bfc40667347ab98b8af5b

SHA1
f1f803bcc2ed21415b565b4481b72865cf21b6fb

SHA256
4f8e2453d640e29ce899bd4018cc5df2fd9c5a0fe79043f275aecf728c45b807

SHA512
7cb574d7eb6f78e9073f6d5379b82a3aad3929530641ca4a956d7b1d9a4aeb0d8b3bbf364a86ee0f3ec723ae8a2e73dfb84b31b75d80d9a83b385c07776d39eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst424B.tmp\inst.exe

Filesize
237KB

MD5
5fa2364c5a43d98727116b4708ea52c0

SHA1
ca31227a7696a99b09d2d667d330cbde1b8ee413

SHA256
de858f5ae730377475a3cc19512c16bac83565349da99b8c3edc5da4c567e2d3

SHA512
b54211e550140d9249e03b1bdd7b0aa9bcd8d8ae6c2d40339d1283ecede3c7b9ac4ad92d9cc185306f592045d63d61a263986057f80b1856f1ccf08c7501696c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst424B.tmp\install.exe

Filesize
173KB

MD5
2e6b916342ce1c8916ed73cd052c05f8

SHA1
dc7cc05b9f016eaa582e7f459f071f4b9e24ba33

SHA256
3d4585ba554410428b9d1fcbd35ba22093f295516d47964f3ad5c5f72f21613b

SHA512
4915b315893cce26a7b3246f8a994c1ede4f4c26bf6f1b0d1aeaa40254b9152f79451720d6de3b8c30cbd5dffe58e8cd034a6cbf3ef524b8c9597e2654f650bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst424B.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/1668-26-0x000000001C140000-0x000000001C168000-memory.dmp

Filesize
160KB

Download
memory/1668-42-0x00007FFEB5CF0000-0x00007FFEB6691000-memory.dmp

Filesize
9.6MB

Download
memory/1668-30-0x00007FFEB5CF0000-0x00007FFEB6691000-memory.dmp

Filesize
9.6MB

Download
memory/1668-10-0x00007FFEB5CF0000-0x00007FFEB6691000-memory.dmp

Filesize
9.6MB

Download
memory/1668-9-0x00007FFEB5FA5000-0x00007FFEB5FA6000-memory.dmp

Filesize
4KB

Download
memory/2860-44-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/2860-45-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/2860-43-0x0000000074D32000-0x0000000074D33000-memory.dmp

Filesize
4KB

Download
memory/2860-57-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4428-49-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download