daeabb4f77670f7b24e89bf05e25bd5d17c5679fb6f3fa5baee1ba2d27ae9220

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe
Size

2.0MB
MD5

61c07b94aa1b119e673c69838173ec9b
SHA1

fff5dc6b40eedc988c615538c1bf2b03bb187680
SHA256

daeabb4f77670f7b24e89bf05e25bd5d17c5679fb6f3fa5baee1ba2d27ae9220
SHA512

f3758568f3706bf9c89e74669b472f1853a5d0694af4e2bb466154f1a9ba0ce75b0ad1a0b9cb3c0a60a81b96a758e4a4c80e1f60d93982ee98d13ff7b3f1f988
SSDEEP

49152:cUwT0VCJYbHkap4puMVV+cNOQTkcUK77ny+A+hAC/PjyOiPmYa/imLQbf:0WK+HfVUxOQTkRKXdA+JzyOYmFVQbf

Score

7^/10

evasion upx

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4908-0-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-89-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-90-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-91-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-92-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-93-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-94-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-95-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-96-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-97-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-98-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-99-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-100-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-101-0x0000000000400000-0x0000000000956000-memory.dmp	upx
behavioral2/memory/4908-102-0x0000000000400000-0x0000000000956000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1396	1972	WerFault.exe	97

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\FalconBetaAccount	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\FalconBetaAccount\remote_access_client_id = "3054566362"	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4908	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe
4908	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4908	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1972	4908	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe	97
PID 4908 wrote to memory of 1972	4908	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe	97
PID 4908 wrote to memory of 1972	4908	61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\HYDE2C0.tmp.1716258567\HTA\index.hta?utorrent" "C:\Users\Admin\AppData\Local\Temp\61c07b94aa1b119e673c69838173ec9b_JaffaCakes118.exe" /LOG "C:\Users\Admin\AppData\Local\Temp\HYDE2C0.tmp.1716258567\index.hta.log" /PID "4908" /CID "SupoKnjBHxLZtOWq" /VERSION "111850052" /BUCKET "0" /SSB "2" /COUNTRY "US" /OS "10.0" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",\"C:\Program Files\Google\Chrome\Application\chrome.exe\",C:\Program Files\Internet Explorer\iexplore.exe,\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\"" /ARCHITECTURE "64" /LANG "en" /USERNAME "Admin" /SID "S-1-5-21-1181767204-2009306918-3718769404-1000" /CLIENT "utorrent"
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1420
    3⤵
    - Program crash
    PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1972 -ip 1972
1⤵
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3980,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:8
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HYDE2C0.tmp.1716258567\HTA\images\main_utorrent.ico

Filesize
104KB

MD5
44d122c9473107fc36412de81418c84a

SHA1
a0072c789a9cd50ba561683c69af8602927cf4a8

SHA256
7c7279daebd88f6a34246603db9c0ecf9bbfa35ef820edd3278e5bc53f9e7680

SHA512
b4294b80edc0566744dd98a5ab3e2ac64a4ce4851192d5610ee13f12dc24947f51b7d5b5629f7bff6004d74e5a2b728913cda1b3386cf878ab7fb365490d8067

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE2C0.tmp.1716258567\HTA\index.hta

Filesize
522B

MD5
76903930c0ade2285f1ab1bf54be660d

SHA1
0fdd5990ca58cf6c49985ffd2075baa09cd728ce

SHA256
61acd6e7405fad348433f8de4b12ed97b42caccbcf28fe0e4ba4b4a5d2ea707e

SHA512
c66c7f9f488a0ac58fc1b7c6560edb4bc6df71a3504c2567ac54f4f89aee40a7073865e67e508baf4e055555bbc2f461d5b558a427ab6ac602b9fe0b1f9f8c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE2C0.tmp.1716258567\HTA\install.1716258567.zip

Filesize
743KB

MD5
b95e97108189f7babf89539f08186890

SHA1
bf8e669ff37c68d86eafd239bd82684b0bce00a0

SHA256
52bd756b898a3e7dd1c0ec8d3ef76db5f68b9fc5953ca61c493df01eec61ca12

SHA512
cca151213d0062d529d267f31af39236527399b96b019f0c6a68b68bfbcb0bbd7fa747ad24b8d7db9c900e08ed47cfbe79fdd88e1ff97e0ab7eafc5fe228c649

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE2C0.tmp.1716258567\HTA\scripts\common.js

Filesize
337KB

MD5
78b4d4390bff0f011ebd271c9bebeec5

SHA1
12f0f137a8173be5791187a583256894d68bea26

SHA256
2f2edf2bd12ae6c6553042c30cb73b967e9066babad5f18f5ff054e708ffd19c

SHA512
a83f8133f26fca263070b278879582268d5bc02a4bad5028f5c80517c069bdc9915b21bcdea31f4f81df04ab891e9b5858109d80e2e4421812af64ae1c12a67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE2C0.tmp.1716258567\HTA\scripts\initialize.js

Filesize
1005B

MD5
2a65c76b51a2c15eebeefa662d511af9

SHA1
3c5f93d39fdd573e43c7a451836d425bc1b07a5d

SHA256
31fc706ae4bd5093aecb6a0b7f9d3b686feb284076b1122aaff978779612dc06

SHA512
85b012dca5bbdbdd929de859ae41ed817c7f1e02eae70aaaf687f9ba381f696fa7751e3f2262d48c14f49c9090f106a6bb9652962d38bb7fab93214a2466e8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE2C0.tmp.1716258567\HTA\scripts\install.js

Filesize
5KB

MD5
36f8dbcbdeed01079dcd0abdf481ffd7

SHA1
354d8fa00c37255d15a07a8b93f99ec2821ed1a2

SHA256
8d41b55c7626eccd4369418e4d0a1cfc2c7ca56b6424ac7b04e50ebc883837c9

SHA512
3a9ace6ed03f59599739bba74271aac5f4bdd589cbc2727285dd26fe390c8febebd9915c0d72e809e09c47f3d6ec12709acbd99c69796672775f5c0159c4a4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE2C0.tmp.1716258567\HTA\styles\common.css

Filesize
99KB

MD5
8a94d780401556cceabf35058bbd4b5a

SHA1
19ee91b1629f4ccf0fca1f664405a1eee9dacc5a

SHA256
086a7e44de35a235bc258bf1107e22a7dc27932cb4d7e3ebcd1f368acc000caa

SHA512
b02fdc9b46f6fa8424660f462bb290c60c0635ad5cb9fa1b386a55d85d4368d06ae5611d355f8dc0db76477c2e332b0501e70cbbba77c45aa027e1cac59ca182

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.old

Filesize
7KB

MD5
3d70934d3a3c1d94e880562b84b64b94

SHA1
d4d10ccbea8cd7dc9bccbd307836ef08f1772567

SHA256
bb0a32b98425b094426da6ce102a82a79ab77aafb0d4145be7279bf905c4b2de

SHA512
080523a70d653d4a1355763d04a8af2583782d14e622545c502851d5edb9994797501b7e5b7b1628c188df4b8b67f92e775c55d467e6b3b7265213cd71d3eb7f

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.new

Filesize
170B

MD5
14c4865c8303c8b70f38f25a9a1dba9a

SHA1
d5ed8ed0a5bffafbe37633ff4fcffe1fca08a6f5

SHA256
91256ed34d4c50d3f49ecba86f95cb16f47a760d600f9e24b239430fe1fabfc2

SHA512
88b33dd933189073ecb4f8c9eef14ecc8f9c138787365b0bfebf88a65a4cc0ee4896cc1466a517cc18c0e4d1ae0317b717376648b6aaa5b76c2724d44fa3980e

Download Submit
memory/4908-91-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-89-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-90-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-0-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-92-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-93-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-94-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-95-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-96-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-97-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-98-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-99-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-100-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-101-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download
memory/4908-102-0x0000000000400000-0x0000000000956000-memory.dmp

Filesize
5.3MB

Download