07b22a0e85c4f95916a66a6f603adbfd5f152fa2dcaf19603fb95e0dafcc099c

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe
Size

132KB
MD5

621cfb12233c7432f6881347bded5a57
SHA1

ab871369a1d336031620c6938d87a9ef69ee03ba
SHA256

07b22a0e85c4f95916a66a6f603adbfd5f152fa2dcaf19603fb95e0dafcc099c
SHA512

c5e365b035ca4dbfe98b2d483dd398c247e688155ca272fcd8271ead64cd23a1a7a928172d8c258c8f48290d9097050defaf873bde60570d5465ab341045266d
SSDEEP

3072:+D4beJt/UAKF4ba3Hwi573QVx78b4Mt2rXH4Mzm:+D4+t/Uia3H153KK2EMS

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1912	UORT.exe

Modifies file permissions 1 TTPs 5 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3840	icacls.exe
2572	icacls.exe
2164	icacls.exe
392	icacls.exe
2364	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{JBOWUEMU-JZYP-9UVS-9IWT-96YNEWJCNHMB} = "C:\\Users\\Admin\\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\\UORT.exe"	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{JBOWUEMU-JZYP-9UVS-9IWT-96YNEWJCNHMB} = "C:\\Users\\Admin\\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\\UORT.exe"	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 2284	1912	UORT.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4248	2284	WerFault.exe	115

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3144	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe:Zone.Identifier	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 1396	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	93
PID 4012 wrote to memory of 1396	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	93
PID 4012 wrote to memory of 1396	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	93
PID 4012 wrote to memory of 1392	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	95
PID 4012 wrote to memory of 1392	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	95
PID 4012 wrote to memory of 1392	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	95
PID 4012 wrote to memory of 4960	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	97
PID 4012 wrote to memory of 4960	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	97
PID 4012 wrote to memory of 4960	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	97
PID 4012 wrote to memory of 3156	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	98
PID 4012 wrote to memory of 3156	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	98
PID 4012 wrote to memory of 3156	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	98
PID 4012 wrote to memory of 3696	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	101
PID 4012 wrote to memory of 3696	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	101
PID 4012 wrote to memory of 3696	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	101
PID 4012 wrote to memory of 2428	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	102
PID 4012 wrote to memory of 2428	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	102
PID 4012 wrote to memory of 2428	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	102
PID 1392 wrote to memory of 3840	1392	cmd.exe	105
PID 1392 wrote to memory of 3840	1392	cmd.exe	105
PID 1392 wrote to memory of 3840	1392	cmd.exe	105
PID 4960 wrote to memory of 2572	4960	cmd.exe	106
PID 4960 wrote to memory of 2572	4960	cmd.exe	106
PID 4960 wrote to memory of 2572	4960	cmd.exe	106
PID 3156 wrote to memory of 2164	3156	cmd.exe	107
PID 3156 wrote to memory of 2164	3156	cmd.exe	107
PID 3156 wrote to memory of 2164	3156	cmd.exe	107
PID 1396 wrote to memory of 392	1396	cmd.exe	108
PID 1396 wrote to memory of 392	1396	cmd.exe	108
PID 1396 wrote to memory of 392	1396	cmd.exe	108
PID 2428 wrote to memory of 3144	2428	cmd.exe	109
PID 2428 wrote to memory of 3144	2428	cmd.exe	109
PID 2428 wrote to memory of 3144	2428	cmd.exe	109
PID 3696 wrote to memory of 2364	3696	cmd.exe	110
PID 3696 wrote to memory of 2364	3696	cmd.exe	110
PID 3696 wrote to memory of 2364	3696	cmd.exe	110
PID 4012 wrote to memory of 1912	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	112
PID 4012 wrote to memory of 1912	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	112
PID 4012 wrote to memory of 1912	4012	621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe	112
PID 1912 wrote to memory of 2284	1912	UORT.exe	115
PID 1912 wrote to memory of 2284	1912	UORT.exe	115
PID 1912 wrote to memory of 2284	1912	UORT.exe	115
PID 1912 wrote to memory of 2284	1912	UORT.exe	115
PID 1912 wrote to memory of 2284	1912	UORT.exe	115
PID 1912 wrote to memory of 2284	1912	UORT.exe	115
PID 1912 wrote to memory of 2284	1912	UORT.exe	115
PID 1912 wrote to memory of 2284	1912	UORT.exe	115
PID 1912 wrote to memory of 2284	1912	UORT.exe	115

C:\Users\Admin\AppData\Local\Temp\621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\621cfb12233c7432f6881347bded5a57_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /tn {JBOWUEMU-JZYP-9UVS-9IWT-96YNEWJCNHMB} /tr C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn {JBOWUEMU-JZYP-9UVS-9IWT-96YNEWJCNHMB} /tr C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
    3⤵
    - Creates scheduled task(s)
    PID:3144
- C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe
  "C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe"
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1312
      4⤵
      Program crash
      PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 2284
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\19041.1.x86fre.vb_release.191206-1406_x86W.dll

Filesize
140B

MD5
04e4a645391568371f1bbca9f621d8c2

SHA1
420218aeedaeff14c1b252c014db1a020de9f034

SHA256
2fe21efb5c08b860735926191ed65efc3b7f65ac07dbe4c3ce452c34bd0348d7

SHA512
5c625d8ea46f3b6b54ae185da254203245c17e6f3070978a0aa24e92ce48b49d5882ecb955ef2fdd14f782891bb378261495cf73dfd261b31a2f4462426917ff

Download Submit
C:\Users\Admin\{6YLZ2ZLU-VLI2-4HJW-T4GZ-TSQ0KN56VNSJ}\UORT.exe

Filesize
132KB

MD5
621cfb12233c7432f6881347bded5a57

SHA1
ab871369a1d336031620c6938d87a9ef69ee03ba

SHA256
07b22a0e85c4f95916a66a6f603adbfd5f152fa2dcaf19603fb95e0dafcc099c

SHA512
c5e365b035ca4dbfe98b2d483dd398c247e688155ca272fcd8271ead64cd23a1a7a928172d8c258c8f48290d9097050defaf873bde60570d5465ab341045266d

Download Submit
memory/2284-37-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2284-38-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2284-39-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2284-42-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads