Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 17:28
Static task
static1
Behavioral task
behavioral1
Sample
303a993d39cc64830e10adf510035a85_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
303a993d39cc64830e10adf510035a85_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
303a993d39cc64830e10adf510035a85_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
303a993d39cc64830e10adf510035a85
-
SHA1
77ec88d8d7eae3039bdb61c64c8cc93c26a2a29b
-
SHA256
92837af4aa06b8c51b611bf7796c6f563507765ab74e1d3e7168445d07e16cb4
-
SHA512
7917e71cece59dc8d03603a8fcb97fdea2b6247087b24fcf5a8e94757231e9ec0eada6193c7c2057258de1d9a4936eb5aca2d8efdf84edfbac33543e5e4cd031
-
SSDEEP
24576:h1OYdaOkqU2Uzf5SilCfBJy5WShlDBXEZc78KU88SSThr/jzcT:h1OsyqBI5SilCfKhhvqThr/PM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation TslEN8M1Vdw6Q8k.exe -
Executes dropped EXE 2 IoCs
pid Process 4488 TslEN8M1Vdw6Q8k.exe 740 TslEN8M1Vdw6Q8k.exe -
Loads dropped DLL 1 IoCs
pid Process 740 TslEN8M1Vdw6Q8k.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\SystemFileAssociations TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit TslEN8M1Vdw6Q8k.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe" TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\__aHTML\shell\Edit\ddeexec TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\__aHTML TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\__aHTML\shell TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\__aHTML\shell\Edit\command TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.aHTML TslEN8M1Vdw6Q8k.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.aHTML\ = "__aHTML" TslEN8M1Vdw6Q8k.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.aHTML\OpenWithProgids\__aHTML TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\ddeexec TslEN8M1Vdw6Q8k.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ELYYGC.tmp\\TslEN8M1Vdw6Q8k.exe\" target \".\\\" bits downExt" TslEN8M1Vdw6Q8k.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ELYYGC.tmp\\TslEN8M1Vdw6Q8k.exe\" target \".\\\" bits downExt" TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\__aHTML\shell\Edit TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.aHTML\OpenWithProgids TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\SystemFileAssociations\.aHTML TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\SystemFileAssociations\.aHTML\shell TslEN8M1Vdw6Q8k.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\__aHTML\shell\Edit\command\ = "Notepad.exe" TslEN8M1Vdw6Q8k.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings TslEN8M1Vdw6Q8k.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 740 TslEN8M1Vdw6Q8k.exe 740 TslEN8M1Vdw6Q8k.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 740 TslEN8M1Vdw6Q8k.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1636 wrote to memory of 4488 1636 303a993d39cc64830e10adf510035a85_JaffaCakes118.exe 82 PID 1636 wrote to memory of 4488 1636 303a993d39cc64830e10adf510035a85_JaffaCakes118.exe 82 PID 1636 wrote to memory of 4488 1636 303a993d39cc64830e10adf510035a85_JaffaCakes118.exe 82 PID 4488 wrote to memory of 740 4488 TslEN8M1Vdw6Q8k.exe 83 PID 4488 wrote to memory of 740 4488 TslEN8M1Vdw6Q8k.exe 83 PID 4488 wrote to memory of 740 4488 TslEN8M1Vdw6Q8k.exe 83 PID 740 wrote to memory of 3384 740 TslEN8M1Vdw6Q8k.exe 85 PID 740 wrote to memory of 3384 740 TslEN8M1Vdw6Q8k.exe 85 PID 740 wrote to memory of 3384 740 TslEN8M1Vdw6Q8k.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\303a993d39cc64830e10adf510035a85_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\303a993d39cc64830e10adf510035a85_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\TslEN8M1Vdw6Q8k.exe.\TslEN8M1Vdw6Q8k.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\ELYYGC.tmp\TslEN8M1Vdw6Q8k.exe"C:\Users\Admin\AppData\Local\Temp\ELYYGC.tmp\TslEN8M1Vdw6Q8k.exe" target ".\" bits downExt3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /u /s ".\\Ui1W50ZMfJxLMs.x64.dll"4⤵PID:3384
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\[email protected]\bootstrap.js
Filesize2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\[email protected]\chrome.manifest
Filesize35B
MD50fa84815f4a89528ea1aca5df9ba9095
SHA18dac2fe6e174899dda89bca38ae9764dba967267
SHA2566a522d3f932644f62b246bf2a39f9fd042a858bf1fa2aa8e34ddce2081f47dc2
SHA512922e8b23636beb4b405b861a7c488170717d9fbd748ef2c40184e5ac72a82342fb2da4401cefac1f285e652e6ef8dbcd939de0f75cb31b67f094ca9ac7dff5e6
-
C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\[email protected]\content\bg.js
Filesize8KB
MD536dfb13a7cd98dd5b245fdc3e5e5c987
SHA1ebd176ace165f912232bfedeb0c68c154348f8f5
SHA256103b0253870cdd413705df2fad0aef340917e3124b8428d3706be45648ad06c6
SHA512725d1b015a1fe998f5ad0b5f705fc99ae0fffc06f990036454b7e6f93b1ee49aa7228681a5b3fef42531f497a6a0d6d99a880f60eae6a17aeafd89a61ba8c953
-
C:\Users\Admin\AppData\Local\Temp\7zS273F.tmp\[email protected]\install.rdf
Filesize595B
MD519eec5a5652828d6f3397778dd1cff57
SHA1607502980cc89688d26cf3dec96ec355d4d479cb
SHA256c70978158922767f48161b5292c0250080b78227a92ccc093af5da1be7bdc355
SHA512c5788a0a1fd93009fd1ea6afbf1353f170cdf1efad4ab98a8e790ab2c1ba95e1495f30a28f93cdfe589cbe0834d1f852e63b3662bcb99d6e3dbc148bbb99700a
-
Filesize
218KB
MD59f6c52eec607111136cd222b02bf0530
SHA157f3815d0942e3b0a9bef621a7b4971f55fc74d7
SHA2567314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4
SHA5126760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54
-
Filesize
863KB
MD5121e25780259b7eb047221be2ab61c48
SHA1e8770368366d8730aed0639c19db308c4c07c1c4
SHA25676880b882cccfcca404422534a96325f03b6bcf2f3043dc9590511121afcc9cf
SHA512516809f49441be91ca39c08c8af628716f2774cc21f3a1852097fa8c3cc16809f8e35079303b4a97f42aa23fce6908eda6c862a58577b36d97f3c2371062d9bc
-
Filesize
5KB
MD51ca45b386c7b01e1bd45ef4e291d3f70
SHA1dcabb955bc45b182231459d7e64cba59592c907e
SHA256495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c
SHA51287dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752
-
Filesize
945KB
MD558a22b0e91eeabbb39a6f5bc29b66be2
SHA1aabe842732fcb00700b345c807ac6f11678de751
SHA256bd38583ee41b71624a8d8857f78a9d792ad079e348348180ee610c5cc2f3faa9
SHA5124d38872990c832a82086b70d770bb9250d567d900bd3478d7ec2302a46265a639047acb6c3ee7d4002010bfb8190ef41b98ab55011c67b60ba586cdb3cdef2c0
-
Filesize
6KB
MD5407b1509df61a7f645b91ddb8d843e11
SHA11cb4cd6bf477f069035108e930e7cb949c83c78b
SHA25699037da11e5da8e5f632d7d2f4ec4646a3fda6b9d040b75a5dc42f8fe58056da
SHA5127e9a9ff4b1499b027c156b997920ee7b88a51798934ef8be1a7e7a7a40d1c0647b06cee6e5beef2093b75bbf720e7e826892c33da2a93ae3bbd64348819475d4
-
Filesize
146B
MD5256c1e15d3a70d8cd921515996d4553c
SHA162ac229130000b685a83d9d71d52efb49f54fc4e
SHA2561887568fc30d93b40118ab21410d920b48946abcbcbb15d36f38b7146ea90e7e
SHA51202fbd6da5acb71b8cc74b8949f2356da99b73b699c0225dd7fbc5a519ec1dcd4454f04d98073855646a83040b22354095dcee27fe3496fb61d21117e84a204ca
-
Filesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
Filesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
Filesize
499B
MD5496a36783c9e4e278bf3c1597a2eb77d
SHA176d6170cb8d01a472862eb5281c78bad8ca014d2
SHA256d384fc88a99a436cc3c2a1e91619db1bc413c85eb3b6555172f65707c103b6a4
SHA5127be546a221e05d56f4c74d88d0789967149a87e282d6380fe792c3f960e402caf4909c4c2b0940d933914ff3658b606834953f9b349d5143bcb1791fc27f98d8
-
Filesize
14KB
MD594d5249ebfcddc85e888f94717af5eb8
SHA150b8793b44598e52443ae3167af4e278e19f81bd
SHA256b953b6dabb8767be0a0ba0b441e8d4e3be7f57bc12fa33345158b154d7fd670a
SHA5129b4adf19bae8474ea1a12ef4716121cb67b54e5536c8747e0070a57d3431bb4096dd9c30fff2e546388bcb7240f5736c4f12b4d78ca0e234c2a7b5640521e321