788687cfe400f8f01ce8923ac2c269462e2d0d81b93d12fdd2cce845ebb59cb1

Analysis

max time kernel
130s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

658555f77dc44558e3e08a91c1a97323_JaffaCakes118.exe
Size

2.2MB
MD5

658555f77dc44558e3e08a91c1a97323
SHA1

049c6e82f554f70cc811c92379ed0d2c4203a649
SHA256

788687cfe400f8f01ce8923ac2c269462e2d0d81b93d12fdd2cce845ebb59cb1
SHA512

ac16f7d1d9a71633ac84f67e86deea6da19adf617663e60cec4444287bfeb796fff8931cfb8145d4bfc1a1f445f711d269dc2b41ae6fe05cc918e686906e36f9
SSDEEP

24576:h1OYdaOHqU2Uzf5ailCfBJysWS/DBXEZc78KU88SvhrqLzco:h1OsVqBI5ailCf17vXhrq3b

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0gyGB3X03K1Efuu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	0gyGB3X03K1Efuu.exe

Executes dropped EXE 2 IoCs

Processes:

0gyGB3X03K1Efuu.exe0gyGB3X03K1Efuu.exe

pid process

3956 0gyGB3X03K1Efuu.exe
1372 0gyGB3X03K1Efuu.exe
Loads dropped DLL 1 IoCs

Processes:

0gyGB3X03K1Efuu.exe

pid process

1372 0gyGB3X03K1Efuu.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3956	0gyGB3X03K1Efuu.exe
1372	0gyGB3X03K1Efuu.exe

pid	process
1372	0gyGB3X03K1Efuu.exe

Modifies registry class 20 IoCs

Processes:

0gyGB3X03K1Efuu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.aHTML\ = "__aHTML"	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SystemFileAssociations\.aHTML\shell	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	0gyGB3X03K1Efuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WCZSZX.tmp\\0gyGB3X03K1Efuu.exe\" target \".\\\" bits downExt"	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	0gyGB3X03K1Efuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.aHTML\OpenWithProgids\__aHTML	0gyGB3X03K1Efuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\__aHTML\shell	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\__aHTML\shell\Edit\ddeexec	0gyGB3X03K1Efuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\__aHTML\shell\Edit\command\ = "Notepad.exe"	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.aHTML	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.aHTML\OpenWithProgids	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\__aHTML	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\__aHTML\shell\Edit	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\__aHTML\shell\Edit\command	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SystemFileAssociations	0gyGB3X03K1Efuu.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\SystemFileAssociations\.aHTML	0gyGB3X03K1Efuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WCZSZX.tmp\\0gyGB3X03K1Efuu.exe\" target \".\\\" bits downExt"	0gyGB3X03K1Efuu.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0gyGB3X03K1Efuu.exe

pid process

1372 0gyGB3X03K1Efuu.exe
1372 0gyGB3X03K1Efuu.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0gyGB3X03K1Efuu.exe

description pid process

Token: SeDebugPrivilege 1372 0gyGB3X03K1Efuu.exe

pid	process
1372	0gyGB3X03K1Efuu.exe
1372	0gyGB3X03K1Efuu.exe

description	pid	process
Token: SeDebugPrivilege	1372	0gyGB3X03K1Efuu.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

658555f77dc44558e3e08a91c1a97323_JaffaCakes118.exe0gyGB3X03K1Efuu.exe0gyGB3X03K1Efuu.exe

description	pid	process	target process
PID 1100 wrote to memory of 3956	1100	658555f77dc44558e3e08a91c1a97323_JaffaCakes118.exe	0gyGB3X03K1Efuu.exe
PID 1100 wrote to memory of 3956	1100	658555f77dc44558e3e08a91c1a97323_JaffaCakes118.exe	0gyGB3X03K1Efuu.exe
PID 1100 wrote to memory of 3956	1100	658555f77dc44558e3e08a91c1a97323_JaffaCakes118.exe	0gyGB3X03K1Efuu.exe
PID 3956 wrote to memory of 1372	3956	0gyGB3X03K1Efuu.exe	0gyGB3X03K1Efuu.exe
PID 3956 wrote to memory of 1372	3956	0gyGB3X03K1Efuu.exe	0gyGB3X03K1Efuu.exe
PID 3956 wrote to memory of 1372	3956	0gyGB3X03K1Efuu.exe	0gyGB3X03K1Efuu.exe
PID 1372 wrote to memory of 3800	1372	0gyGB3X03K1Efuu.exe	regsvr32.exe
PID 1372 wrote to memory of 3800	1372	0gyGB3X03K1Efuu.exe	regsvr32.exe
PID 1372 wrote to memory of 3800	1372	0gyGB3X03K1Efuu.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\658555f77dc44558e3e08a91c1a97323_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\658555f77dc44558e3e08a91c1a97323_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\0gyGB3X03K1Efuu.exe
.\0gyGB3X03K1Efuu.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\WCZSZX.tmp\0gyGB3X03K1Efuu.exe
"C:\Users\Admin\AppData\Local\Temp\WCZSZX.tmp\0gyGB3X03K1Efuu.exe" target ".\" bits downExt
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /u /s ".\\577q7jAhcdtbwt.x64.dll"
4⤵
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\0gyGB3X03K1Efuu.dat

Filesize
15KB

MD5
7dac81dcf46cc3ccb354c6efcc282b21

SHA1
06a8f8238b03434d2d0a24d6a91a543ef15d7ebe

SHA256
aabb105a7588cb85244b043587d55ef4ce4b4e8bd051f91e5d27412bb78b8eee

SHA512
87430a739ffb4d6e3f642e29ea16f4c55f9efeae380acbcd6e28bc0e7bb65e481f1a407423c0a39573faf7e76b986786e22f6803031b9d30b4083a212fdd8cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\0gyGB3X03K1Efuu.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\577q7jAhcdtbwt.dll

Filesize
863KB

MD5
8c25766a708ccd0a9e91685078a11b7f

SHA1
5cc2f60bc9a18c35073e7f98b03bc22f85cd7527

SHA256
530e80431ee4fb4bce1d9d92cd49344a9e29e19066ef55fb31487f7f0553b8ff

SHA512
53172e01bcaf77a70774ddcf5e690da5f3ea4fab35bbf545d9aeddca0b9049943c834e2603c3db9c5b819bd5b5dfbf910f84ebcad6bc767f6f690e8e503e1037

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\577q7jAhcdtbwt.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\577q7jAhcdtbwt.x64.dll

Filesize
945KB

MD5
d3358a85af4f946041a9b4f851743f3d

SHA1
7d113c62ebd065b6a65c128b6e403f2c4c9dfcc2

SHA256
8de127a90d7a84e12053fa794d27ac01b3d097692f1b9e834cdc83683199c3b3

SHA512
6bd70741592397dbeba278aa6d6959d75f74b390f63111dc1419db29dc4cb6f2889259f57ae381f30248aaf4521701221304b8199244de5ceab7afb0cdbac476

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
a1e6a3c78c1e4bbf48f3251f1330bdb8

SHA1
5e9d5f0b06cae2d5f5186512a820483c63aeeae6

SHA256
5bf06d9858bdd297a4a7e035dc3bf417476b3fa44ba6d57db0776a6733739f37

SHA512
c98c10b594acc88f8da2bd522f316e0851752b827da5b6e4af3fc70c7f9429b26f309d0ec19d9aa633736b9f37dbf5137c5331dd5008a9799e27eda3b3a1580f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
4762890e6d84afdde0a7205a66d21521

SHA1
9629a1cacb43a49a02e9ae25ff191f699c58f573

SHA256
6496e2d78704163edb9000f693afd38bef8558778cd7dc3a3c1d489a606d3e58

SHA512
406d827ac31ce9670518d06c1d2fbf945bf7d780896b7a3e8f2982c06f268bc02d88045994bbe05a5523a5f4be13fe80283e4bb86df87ec65b176a6f6b98c976

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\[email protected]\install.rdf

Filesize
598B

MD5
5768295efea339bf6040f75b70fddf4d

SHA1
90be6f7dea357410e537b28052c6d4c229dd17c2

SHA256
294b05a1899efdbc716aa7338ee6e19abd680f6e059a7ae522fd8f4d7cbf95f2

SHA512
be63f262c0c6240c8a1ec121cbe710a90fe6084c6555d138d4db1861046b710239a69a6d9e17a61039e1196869ec20d6cc6231896ab958c3f51e3dc3a11be35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\mbmipibgmedbfhmkjhimklgmpngpccld\background.html

Filesize
147B

MD5
66fbd7a5f15e5372f78fbb699f657fd0

SHA1
8b6afdbb68cf8c4ede1dea1a08ce68cfa1888dae

SHA256
44d589c83a0db200153dbc54d4b57cc45f8d6ef19c64a3b44a2bf9d5e98de84f

SHA512
2d7f9a2b051cdfca6667011bd656a33a3edbd78d329b4d00087209c50938f7b8502f888defa5df45d0eacfae6190b202ede00e79e5535c60fe14a035c40cc588

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\mbmipibgmedbfhmkjhimklgmpngpccld\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\mbmipibgmedbfhmkjhimklgmpngpccld\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\mbmipibgmedbfhmkjhimklgmpngpccld\manifest.json

Filesize
503B

MD5
222b70e81608410681eccd7badc2b020

SHA1
af6e4883d642e9cf2e4c8ceee9d22c13f36f9491

SHA256
2af2551b7cf4c06fd66e8c71c6ed617800260a362b889bc1d7aa34fdcef7cae9

SHA512
8b13948ec244a4f5b66239c6519548bf4e3403fb6e7be10672c2abac7a502ddf672672ccf3efd84d5808b895d7ac3ec06f8df13d435d3b9dd16b526d97fd7a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C8A.tmp\mbmipibgmedbfhmkjhimklgmpngpccld\yO7y79Dhob.js

Filesize
6KB

MD5
1f33275d87ed4a1176361fcc0dbd175c

SHA1
8f6abb94850ad0d020bc7a4581e50407af4829be

SHA256
8af6cee5c7d87fdf654f71ac4d5a5eb6ad1b04ecdf2d032f2da1549ec171d7fa

SHA512
e3ad14bc2fd070e9d593182533c7722d1c89d835a2eae78c651797a178052ca476b603bc569db757e8c2ef47562bd7cd3b3fa1aa5210f1dd79c1fdf258b59bf5

Download Submit