be60875d7ccca79d102ab0dd19ff7a42005a8bf302c3407b3178d41c46aaf9d9

Analysis

max time kernel
136s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65843d5fd1e2e6f54f69f51cb61db26f_JaffaCakes118.exe
Size

2.2MB
MD5

65843d5fd1e2e6f54f69f51cb61db26f
SHA1

805925de7abb48aff90232598a54791563504950
SHA256

be60875d7ccca79d102ab0dd19ff7a42005a8bf302c3407b3178d41c46aaf9d9
SHA512

1ca37d996f2d75be6a5d94dea5c3cc8f96ce63ce3100038bda7f1992db190db82d1f34fdb95d39c763c524d2b7480ae6fb0cd8081dc99cefb46efe8ac649a786
SSDEEP

24576:h1OYdaO3qU2Uzf5vilCfBJyfQWSKDBXEZc78KU88SjhrHzcb:h1OshqBI5vilCfgs0vLhrTW

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pbjRnP68cDzAgI2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	pbjRnP68cDzAgI2.exe

Executes dropped EXE 2 IoCs

Processes:

pbjRnP68cDzAgI2.exepbjRnP68cDzAgI2.exe

pid process

2160 pbjRnP68cDzAgI2.exe
1676 pbjRnP68cDzAgI2.exe
Loads dropped DLL 1 IoCs

Processes:

pbjRnP68cDzAgI2.exe

pid process

1676 pbjRnP68cDzAgI2.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2160	pbjRnP68cDzAgI2.exe
1676	pbjRnP68cDzAgI2.exe

pid	process
1676	pbjRnP68cDzAgI2.exe

Modifies registry class 20 IoCs

Processes:

pbjRnP68cDzAgI2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell\Edit\command	pbjRnP68cDzAgI2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MWWNIL.tmp\\pbjRnP68cDzAgI2.exe\" target \".\\\" bits downExt"	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.aHTML\OpenWithProgids	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit	pbjRnP68cDzAgI2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell\Edit	pbjRnP68cDzAgI2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MWWNIL.tmp\\pbjRnP68cDzAgI2.exe\" target \".\\\" bits downExt"	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	pbjRnP68cDzAgI2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell\Edit\command\ = "Notepad.exe"	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.aHTML	pbjRnP68cDzAgI2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.aHTML\ = "__aHTML"	pbjRnP68cDzAgI2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.aHTML\OpenWithProgids\__aHTML	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML	pbjRnP68cDzAgI2.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\__aHTML\shell\Edit\ddeexec	pbjRnP68cDzAgI2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pbjRnP68cDzAgI2.exe

pid process

1676 pbjRnP68cDzAgI2.exe
1676 pbjRnP68cDzAgI2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

pbjRnP68cDzAgI2.exe

description pid process

Token: SeDebugPrivilege 1676 pbjRnP68cDzAgI2.exe

pid	process
1676	pbjRnP68cDzAgI2.exe
1676	pbjRnP68cDzAgI2.exe

description	pid	process
Token: SeDebugPrivilege	1676	pbjRnP68cDzAgI2.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

65843d5fd1e2e6f54f69f51cb61db26f_JaffaCakes118.exepbjRnP68cDzAgI2.exepbjRnP68cDzAgI2.exe

description	pid	process	target process
PID 4616 wrote to memory of 2160	4616	65843d5fd1e2e6f54f69f51cb61db26f_JaffaCakes118.exe	pbjRnP68cDzAgI2.exe
PID 4616 wrote to memory of 2160	4616	65843d5fd1e2e6f54f69f51cb61db26f_JaffaCakes118.exe	pbjRnP68cDzAgI2.exe
PID 4616 wrote to memory of 2160	4616	65843d5fd1e2e6f54f69f51cb61db26f_JaffaCakes118.exe	pbjRnP68cDzAgI2.exe
PID 2160 wrote to memory of 1676	2160	pbjRnP68cDzAgI2.exe	pbjRnP68cDzAgI2.exe
PID 2160 wrote to memory of 1676	2160	pbjRnP68cDzAgI2.exe	pbjRnP68cDzAgI2.exe
PID 2160 wrote to memory of 1676	2160	pbjRnP68cDzAgI2.exe	pbjRnP68cDzAgI2.exe
PID 1676 wrote to memory of 1984	1676	pbjRnP68cDzAgI2.exe	regsvr32.exe
PID 1676 wrote to memory of 1984	1676	pbjRnP68cDzAgI2.exe	regsvr32.exe
PID 1676 wrote to memory of 1984	1676	pbjRnP68cDzAgI2.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\65843d5fd1e2e6f54f69f51cb61db26f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65843d5fd1e2e6f54f69f51cb61db26f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\pbjRnP68cDzAgI2.exe
.\pbjRnP68cDzAgI2.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\MWWNIL.tmp\pbjRnP68cDzAgI2.exe
"C:\Users\Admin\AppData\Local\Temp\MWWNIL.tmp\pbjRnP68cDzAgI2.exe" target ".\" bits downExt
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s ".\\gIPsQRHRtW0OAt.x64.dll"
4⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
7ee02ba09e5db37e1f53fa0a4234639c

SHA1
93d4e3bff07b88d51ba96192e0ca98c551363f90

SHA256
de1b6d5567d02177ad90b8e45e07e1b0b0983e80e765373dd79d2437691afdbe

SHA512
589cdb51c63aa79540407c5719ad60fb8e09d3b5d1ac4fb8d0197dff866bfef66cd51e05b16fa92fd132b0d313e47ec394bbb36d397f6f197e54c06cacddbbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
0fe9ef88382832d36c99a711510bc352

SHA1
f3f5cd34bcd01811e87b230b782d9fde6ac1113c

SHA256
e92775cfddb301c6831aef36c9dd8409b7cc71688ec73db1739aaacef6f57f7c

SHA512
b1fa5b7515df06a889f1fbb45169ef97ed91eb651185b68c15c18993376f8918734db45999cc959f428a3ff62f4c591a35cd0710ff9cf275a2f505ac056ea8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\[email protected]\install.rdf

Filesize
595B

MD5
ecd0883e2eb8492ee1e75c94abe7bda0

SHA1
eaf2da254e0f0fd80b9a02e6ebbedf8b3ea937cf

SHA256
554309a243366b92a70b9f959c856a80c8a71a612a29296d3d430a9737ad40cd

SHA512
358cd1a3965440b547745f379aa7f785f17d0f011527b3404b2092df6afecc93c2ef819587482b4d6431a08a971fc75e2e5a581f5b9c3818a8c768f18af34294

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\gIPsQRHRtW0OAt.dll

Filesize
863KB

MD5
ec66f42563931f0821b06ce99411ecdb

SHA1
ed203aff5885ace6e23f564a8419744947c32e7f

SHA256
914cb0b163aca04952bd858e2ea2be6f171e36ae8e887cae00e95c8bdb7a0c56

SHA512
268aba31fd18f90ce7ea50baa29d9c67d904a48612d3a7270caf900748fa1f0f898a544d48f5f15d2943ff1bf339eb37a5168449d73d31b045845dbf27d64b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\gIPsQRHRtW0OAt.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\gIPsQRHRtW0OAt.x64.dll

Filesize
945KB

MD5
4a74c29b3e274ed8f979dd048ceb249c

SHA1
76e7bc5c1042192dcdaaf0e656d147324aafea57

SHA256
814a9fc0cc1bba8f8c7835104e18d9f630f814c8cc424f4eeb1c24ac6ac0b32f

SHA512
198d2d0d071e43f98120250c162b9c273f7132c0612946ce8a9b8e3d81ee76dccc689a98d6fd928015bbb048ae9932670e1db679da726ed9574981e7f1604c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\hnopafocjfhecgnnaaocaafmabaahjjp\background.html

Filesize
138B

MD5
d99a69e7af5e44c1cf1fffe0d67d3f2a

SHA1
8d6cf935f6456af0de1646eae987f11d9c5d3cf2

SHA256
cb915bedd6a24cb3a26f17d3c9502a700f0c2ee95b122119d66b6f2c0558be85

SHA512
f242215d3090d5ab087638a523f660a086d8d7a5c98561cfb5059b1162cfdca4f54804a01832bd09d0ef0eea831b4841f787097e5a1d191ceda5ce0870e79846

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\hnopafocjfhecgnnaaocaafmabaahjjp\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\hnopafocjfhecgnnaaocaafmabaahjjp\g.js

Filesize
6KB

MD5
556a05afc032ab7d08ed761f2ddad6f6

SHA1
d64d18f89ecd132519f844cfc25fce7e6a458002

SHA256
c00188d58519926c085927c30462628b5cba653dc9188d9cc1bad7bd4fc2f7bd

SHA512
18d7813827cef8986ce85450cddf9e788f1c08e2cd46e4cbb1f8641f0059b7da9c9c55582cb4611e2685aac5fdf76f0d347ff211230ec45be4c8d534abc376c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\hnopafocjfhecgnnaaocaafmabaahjjp\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\hnopafocjfhecgnnaaocaafmabaahjjp\manifest.json

Filesize
502B

MD5
de7f917d830b9d8005f8b94af78b7b65

SHA1
ea483effc0c9d50a00e42aa6f5dd57a7166cb07b

SHA256
fe261ffcdb6b61529ee91b866ba347308f0d4a7d887c982a1ef4a0dfbd1914a7

SHA512
7cd4efa91b42a8054220f536b21c65cae8545dc73835f752faac15cb8928193cfef0abf8eac72dccbe01a7574505d09d74785a0f3fdaaab42b7f8047525dd327

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\pbjRnP68cDzAgI2.dat

Filesize
14KB

MD5
1f910e407c808fa487d9ef17d3e1f42c

SHA1
869a1c531c2dff4a4a9e82255c7699c4040bbdce

SHA256
1a6cd290907386613c6cca14244808959592fb16ebb96513968ba42295a04e16

SHA512
1a76435f1e5f7f8911a680db111c2af729df9bc50e9a1ec1ebf6f361202e333734cf181126c45823eac6cf5692ffc42c134c9ce2212959049cd2e853e667c808

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\pbjRnP68cDzAgI2.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit