02a73f9889a2b7228b93c069a2077603e2c03166f2e0a060847b0bd2107508f4

Analysis

max time kernel
130s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68e219382644cc5f9dbe14368b2f2399_JaffaCakes118.exe
Size

2.2MB
MD5

68e219382644cc5f9dbe14368b2f2399
SHA1

bd0d87f26244db96e3f04dec764966688bb3d43e
SHA256

02a73f9889a2b7228b93c069a2077603e2c03166f2e0a060847b0bd2107508f4
SHA512

e30a7c832411717aacb1b317119f0ad4f6b72f3ecd695271d2584c2196fab50b6ce75ebae10a50fdc2af5b86bb65523faf369b470088c6f9c89dc5e9a289a842
SSDEEP

24576:h1OYdaOVqU2Uzf5ailCfBJyeWSB2rDBXEZc78KU88S2hr0zcD:h1OsvqBI5ailCfnB2HvOhrs+

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OId5mfR0K1tLEld.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	OId5mfR0K1tLEld.exe

Executes dropped EXE 2 IoCs

Processes:

OId5mfR0K1tLEld.exeOId5mfR0K1tLEld.exe

pid process

3012 OId5mfR0K1tLEld.exe
4972 OId5mfR0K1tLEld.exe
Loads dropped DLL 1 IoCs

Processes:

OId5mfR0K1tLEld.exe

pid process

4972 OId5mfR0K1tLEld.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3012	OId5mfR0K1tLEld.exe
4972	OId5mfR0K1tLEld.exe

pid	process
4972	OId5mfR0K1tLEld.exe

Modifies registry class 20 IoCs

Processes:

OId5mfR0K1tLEld.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command	OId5mfR0K1tLEld.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\UDYOER.tmp\\OId5mfR0K1tLEld.exe\" target \".\\\" bits downExt"	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.aHTML\OpenWithProgids	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell\Edit\command	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	OId5mfR0K1tLEld.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.aHTML\ = "__aHTML"	OId5mfR0K1tLEld.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML	OId5mfR0K1tLEld.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\UDYOER.tmp\\OId5mfR0K1tLEld.exe\" target \".\\\" bits downExt"	OId5mfR0K1tLEld.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.aHTML\OpenWithProgids\__aHTML	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell\Edit	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell\Edit\ddeexec	OId5mfR0K1tLEld.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell\Edit\command\ = "Notepad.exe"	OId5mfR0K1tLEld.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.aHTML	OId5mfR0K1tLEld.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

OId5mfR0K1tLEld.exe

pid process

4972 OId5mfR0K1tLEld.exe
4972 OId5mfR0K1tLEld.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

OId5mfR0K1tLEld.exe

description pid process

Token: SeDebugPrivilege 4972 OId5mfR0K1tLEld.exe

pid	process
4972	OId5mfR0K1tLEld.exe
4972	OId5mfR0K1tLEld.exe

description	pid	process
Token: SeDebugPrivilege	4972	OId5mfR0K1tLEld.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

68e219382644cc5f9dbe14368b2f2399_JaffaCakes118.exeOId5mfR0K1tLEld.exeOId5mfR0K1tLEld.exe

description	pid	process	target process
PID 756 wrote to memory of 3012	756	68e219382644cc5f9dbe14368b2f2399_JaffaCakes118.exe	OId5mfR0K1tLEld.exe
PID 756 wrote to memory of 3012	756	68e219382644cc5f9dbe14368b2f2399_JaffaCakes118.exe	OId5mfR0K1tLEld.exe
PID 756 wrote to memory of 3012	756	68e219382644cc5f9dbe14368b2f2399_JaffaCakes118.exe	OId5mfR0K1tLEld.exe
PID 3012 wrote to memory of 4972	3012	OId5mfR0K1tLEld.exe	OId5mfR0K1tLEld.exe
PID 3012 wrote to memory of 4972	3012	OId5mfR0K1tLEld.exe	OId5mfR0K1tLEld.exe
PID 3012 wrote to memory of 4972	3012	OId5mfR0K1tLEld.exe	OId5mfR0K1tLEld.exe
PID 4972 wrote to memory of 2592	4972	OId5mfR0K1tLEld.exe	regsvr32.exe
PID 4972 wrote to memory of 2592	4972	OId5mfR0K1tLEld.exe	regsvr32.exe
PID 4972 wrote to memory of 2592	4972	OId5mfR0K1tLEld.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\68e219382644cc5f9dbe14368b2f2399_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68e219382644cc5f9dbe14368b2f2399_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\OId5mfR0K1tLEld.exe
.\OId5mfR0K1tLEld.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\UDYOER.tmp\OId5mfR0K1tLEld.exe
"C:\Users\Admin\AppData\Local\Temp\UDYOER.tmp\OId5mfR0K1tLEld.exe" target ".\" bits downExt
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s ".\\Eui5j6NLQ6eR25.x64.dll"
4⤵
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
0908ac64ac55e040660474b44147ecb6

SHA1
5d7fda556fbb3b61cf4c9224e367306bbbf2e344

SHA256
1c4580965d502955f013aeb3807824c377ce4bb3cb46225e076c6bf282997761

SHA512
37133e1f6e42d74afd769fd23ecb399aefd1375851d155608757bdba71f18e796d69cb1d2b484c6e08d6ce6fc10b36c5a832d0a0e2116c87ecbf396846b1a49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
6bb690aecac48f8ce07d1895d26c07b6

SHA1
1e20cef993710677c7f2f2beda155c5bf4907c38

SHA256
1ff44fe3958324606deaffc1f449340c55beb959ef3af28e7dd04aa026515e4d

SHA512
07e8416c03139cef21ddba8d07f1c475b3f012fab1e85ed09cf8dd8be6b1943cc78083810fd1a286204d0cc471c72dac579845a5359dda157212fc7b5460abd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\[email protected]\install.rdf
Filesize
598B

MD5
93c677abe2037c9a68237f099d4cc997

SHA1
8ac6bbbb03de7337f6f023a1ee28bfc9f2c77322

SHA256
0becf0add89af7d71cc5b16f1b8cf49523df9de50ef057d0816efa3cc65f6741

SHA512
85166a1802f06d7cb929bbc7d81d73c5b721435c8a0ce4f7fbe86ad56d386b350c52146fa2e8d3da78bf84a8e04570cfb6e81e8bbd73057735fa290f1b9f369a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\Eui5j6NLQ6eR25.dll
Filesize
863KB

MD5
cf814bde730c4675340d502a0fea3a09

SHA1
1e946691554795b1f7b62f736d49a365d5cd7f01

SHA256
6f80344db012cf112b2e53999ee8fab8aafed74fa0e336d6ca3e3ea61565c5c4

SHA512
4cebd9c1b15ee30cec7bd3ed657f36e209710b6e58f0012460868fc4fcbf3fbbb78994401f5f25b38745d5b316937ef8dda29c8e4ee721c3466538df8279c513

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\Eui5j6NLQ6eR25.tlb
Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\Eui5j6NLQ6eR25.x64.dll
Filesize
945KB

MD5
30c0aba1e447115c2232d60982cb2fff

SHA1
9e40e522e35cb73e6a1bea0df78fdf8e4aed0884

SHA256
fcf74f004987f742947842285e73e7798e5efff5b34a322fc66fc93480fea313

SHA512
f8f335941cb93ec8ff9fd86a4270f38384b5f7ff1d8daf15be450ad3ed8dcff8a4b62669bcc92f12d511eea467bcf18076f16b4386eb6dd31726f9d9d696b4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\OId5mfR0K1tLEld.dat
Filesize
14KB

MD5
24efca8a775b7d18eda78a804f67e0be

SHA1
b99d53c6eaea798daee33b839db42fa92c1c418d

SHA256
df1ca9b4813a9b56268e3be974a605ef1d9305b74c0aaec7b9c6c63b66a7fbe9

SHA512
2a52b9f17158aac11c8edb5ac7466e94e872246333dc5b5da3f4ae5fcbdd50d4d8ab6978f172c7fdb9ad931d6ae9d181d7bd27792bd7c9d49f9b397dd72b762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\OId5mfR0K1tLEld.exe
Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\imopdhgaolkgodpmalkmieojmppjejmo\background.html
Filesize
145B

MD5
8d18ee26bb4e24f585f411be8beb9e0e

SHA1
13a89da8fa2e3e228151b53b23afcd4d074d91e0

SHA256
151f11bb7f9ec840ae1a1dcec5453def9a2abb3cb3765fb1493e766130af1787

SHA512
f1337501e0ccd3c47d774eaf47b3d774ec80f0061b7c39f2604b1046dc0916049163415deffaf70b85e0c78c25ccaa39af5e7974cfadcc20984a0612c54853b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\imopdhgaolkgodpmalkmieojmppjejmo\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\imopdhgaolkgodpmalkmieojmppjejmo\f96HStzI.js
Filesize
6KB

MD5
604af60a652140e881fbb6ea22388e1f

SHA1
294dccee7b30d1bd0249d215bc66b44d9037344d

SHA256
34520af56385ea2444f33bf1c9efb2088f6df4e434ef57478a438939d5570c0d

SHA512
03f7aaf1a0db168cd9d5596136bdb4ff85b6dadcf5e2c9db92f5add9dd858b0e0f56e01fa9071a75cbf9333e4ad9a239dff085fba6a4a248f3323fa13a3b9458

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\imopdhgaolkgodpmalkmieojmppjejmo\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4304.tmp\imopdhgaolkgodpmalkmieojmppjejmo\manifest.json
Filesize
502B

MD5
04e0afed41fc98e7734b4a9fd6dc6635

SHA1
21eb6e750df328a0cc7f4abce133600379ab9258

SHA256
36da367a51408648a15f9bebf106710f0a59f853f655cb276e07ac2174015984

SHA512
40c4b6cf280797c1a2adc0cebe499f8c3f3d2d8d74fc93fbb80dd2cbfe554a4e520324a88c81b227d809faf2feca399f7cceb5a81e8a92c0e634dbee160068c4

Download Submit