119822350430472a5a9670550f81bb113d4232dd59c36e8198bfda5323730b1b

Analysis

max time kernel
144s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe
Size

1.9MB
MD5

7c18b2ec501d020bef64c6c2c98a16bd
SHA1

6ebd68da2968af53f30031d50643447a5a61df01
SHA256

119822350430472a5a9670550f81bb113d4232dd59c36e8198bfda5323730b1b
SHA512

10de9af7c73bcba80f3e42c5c93d8f700e1dda6429d2d5b5d3f37479008cd41e3df5fb756477567fe2b383dc9ad612af381baf09763a5a854b95a9d359628c84
SSDEEP

49152:mjLE/lJNMEiv8/ihbImTYIkgJHlVW+FK9JVSrRF:sLk2n8/wbvXkgxlVbFUJVyRF

Score

7^/10

evasion upx

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1332-0-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-82-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-90-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-91-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-92-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-93-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-94-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-95-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-96-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-97-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-98-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-99-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-100-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-101-0x0000000000400000-0x0000000000929000-memory.dmp	upx
behavioral2/memory/1332-102-0x0000000000400000-0x0000000000929000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4876	2992	WerFault.exe	90

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\FalconBetaAccount	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\FalconBetaAccount\remote_access_client_id = "4411670190"	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1332	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe
1332	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1332	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2992	1332	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe	90
PID 1332 wrote to memory of 2992	1332	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe	90
PID 1332 wrote to memory of 2992	1332	7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\HYD4883.tmp.1716879641\HTA\index.hta?utorrent" "C:\Users\Admin\AppData\Local\Temp\7c18b2ec501d020bef64c6c2c98a16bd_JaffaCakes118.exe" /LOG "C:\Users\Admin\AppData\Local\Temp\HYD4883.tmp.1716879641\index.hta.log" /PID "1332" /CID "qGV52DtHXpU-e0Up" /VERSION "111783400" /BUCKET "0" /SSB "3" /COUNTRY "US" /OS "10.0" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",\"C:\Program Files\Google\Chrome\Application\chrome.exe\",C:\Program Files\Internet Explorer\iexplore.exe,\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\"" /ARCHITECTURE "64" /LANG "en" /USERNAME "Admin" /SID "S-1-5-21-4124900551-4068476067-3491212533-1000" /CLIENT "utorrent"
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1436
    3⤵
    - Program crash
    PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2992 -ip 2992
1⤵
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HYD4883.tmp.1716879641\HTA\images\main_utorrent.ico

Filesize
104KB

MD5
44d122c9473107fc36412de81418c84a

SHA1
a0072c789a9cd50ba561683c69af8602927cf4a8

SHA256
7c7279daebd88f6a34246603db9c0ecf9bbfa35ef820edd3278e5bc53f9e7680

SHA512
b4294b80edc0566744dd98a5ab3e2ac64a4ce4851192d5610ee13f12dc24947f51b7d5b5629f7bff6004d74e5a2b728913cda1b3386cf878ab7fb365490d8067

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD4883.tmp.1716879641\HTA\index.hta

Filesize
522B

MD5
76903930c0ade2285f1ab1bf54be660d

SHA1
0fdd5990ca58cf6c49985ffd2075baa09cd728ce

SHA256
61acd6e7405fad348433f8de4b12ed97b42caccbcf28fe0e4ba4b4a5d2ea707e

SHA512
c66c7f9f488a0ac58fc1b7c6560edb4bc6df71a3504c2567ac54f4f89aee40a7073865e67e508baf4e055555bbc2f461d5b558a427ab6ac602b9fe0b1f9f8c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD4883.tmp.1716879641\HTA\install.1716879641.zip

Filesize
761KB

MD5
a65ca84bf2c878f87206ff596142b062

SHA1
8998ef455e40d8d1d0d903369ac832a7afd7fc1e

SHA256
68e37eed2e04830fce9f735d8a2ecebb19a651394f5d590581370ac5d7754d90

SHA512
bb87190b55a2192b0c3dfaecc26b5e144ffc021fe45e70baf48788ea687511cf53b5851d79b95b85841257293271e2eaab3cdc0ff0bea401127d9172e5d75ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD4883.tmp.1716879641\HTA\scripts\common.js

Filesize
354KB

MD5
294704ab62d0810ce15a39d08c8b1bf4

SHA1
9eb74fbb3eb81e6312c94ec4e3e84792e1a0aa68

SHA256
f6332951011366de16da034680ca2eaf06d28171aa094ed42af649823b045bdd

SHA512
a622b8109a5b09961dd18761abeb701b3a2956967a8373e1ea3e4648a5a0d7427f37b7d0f0e3635aad452f43d0754d30ddeeac5def88a554ad655f174d60faff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD4883.tmp.1716879641\HTA\scripts\initialize.js

Filesize
1005B

MD5
2a65c76b51a2c15eebeefa662d511af9

SHA1
3c5f93d39fdd573e43c7a451836d425bc1b07a5d

SHA256
31fc706ae4bd5093aecb6a0b7f9d3b686feb284076b1122aaff978779612dc06

SHA512
85b012dca5bbdbdd929de859ae41ed817c7f1e02eae70aaaf687f9ba381f696fa7751e3f2262d48c14f49c9090f106a6bb9652962d38bb7fab93214a2466e8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD4883.tmp.1716879641\HTA\scripts\install.js

Filesize
6KB

MD5
ade3e833add95bf0f5f1619bf816d893

SHA1
48df3ae9a43c6d8783dab68ec423a9ff8ab25c04

SHA256
bbbf5859eb80eda10d42aee0557256d161768f1db7648f65a12444fc40fb8f1d

SHA512
8ed6005f9801ad5e7108ca698f65f7e31ecd842ca3fc9c1086f9cd247896b2ed59c8d5aaf62ad33e96e67837757814510ce058b5ce1cbdec461453799f9abf26

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD4883.tmp.1716879641\HTA\styles\common.css

Filesize
99KB

MD5
8a94d780401556cceabf35058bbd4b5a

SHA1
19ee91b1629f4ccf0fca1f664405a1eee9dacc5a

SHA256
086a7e44de35a235bc258bf1107e22a7dc27932cb4d7e3ebcd1f368acc000caa

SHA512
b02fdc9b46f6fa8424660f462bb290c60c0635ad5cb9fa1b386a55d85d4368d06ae5611d355f8dc0db76477c2e332b0501e70cbbba77c45aa027e1cac59ca182

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.old

Filesize
7KB

MD5
f7dd0f5239c979196099f3dd6245f2eb

SHA1
6c00e5d7f5b3c99375580a11344909f5328abc9e

SHA256
fa13e69429e17278ce6671d65152055706d8205a6d5077a0f9f566dc6a9e98e7

SHA512
a22e8c30da6ba008bdc3a6355109a1c0f42a104554b5c7b497a0ae0bb9abfe914b9f282686d39fa691b1279f101f1ced73b26e330cd856e00210bc07d1fd4c16

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.new

Filesize
170B

MD5
d910df0dec96466e4bafca2389391c17

SHA1
f31411921ffc3c33bca07abead09e990ccfa4601

SHA256
bbe9c3528cbda0f001bc038b81a3ece9c2e776f702057ba99d83caddcdf29354

SHA512
935123912bdb3bd12d49b2535325730ad99110c736bad0e73cfeefb553284864ea72a0e6665757ddab6d8847cc092826cca0e41309e25b2399b1586365986015

Download Submit
memory/1332-91-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-95-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-90-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-0-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-92-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-93-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-94-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-82-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-96-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-97-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-98-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-99-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-100-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-101-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download
memory/1332-102-0x0000000000400000-0x0000000000929000-memory.dmp

Filesize
5.2MB

Download