d6da9cd08fda82f36e277fcb9d98e1a0444d1cd3a3a71c6cf262e53213f7c1e1

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84066d47170e1e02642690be0ca6acd4_JaffaCakes118.exe
Size

9.1MB
MD5

84066d47170e1e02642690be0ca6acd4
SHA1

15d3b330c66c6bcf01e5b7574dc71b61ea2ca48f
SHA256

d6da9cd08fda82f36e277fcb9d98e1a0444d1cd3a3a71c6cf262e53213f7c1e1
SHA512

e386515f521cc63dd3561b260703e16cbe793315e9097e0eb23e8256dd40364da38007db1c2149ff4682d7df61c889f2de1c05821351fd8a1e87514ca70a0898
SSDEEP

196608:h0bDi3QWpZJdsYap39xyiSRQ6mUpUWiHoZyEAZ+FcAjoSZF:h0bW3QWDa0iSinUpUWiHowMcWoO

Score

8^/10

execution

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	84066d47170e1e02642690be0ca6acd4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2404	7za.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4884	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4432	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2404	7za.exe
Token: 35	2404	7za.exe
Token: SeSecurityPrivilege	2404	7za.exe
Token: SeSecurityPrivilege	2404	7za.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1720	2232	84066d47170e1e02642690be0ca6acd4_JaffaCakes118.exe	90
PID 2232 wrote to memory of 1720	2232	84066d47170e1e02642690be0ca6acd4_JaffaCakes118.exe	90
PID 2232 wrote to memory of 1720	2232	84066d47170e1e02642690be0ca6acd4_JaffaCakes118.exe	90
PID 2232 wrote to memory of 4828	2232	84066d47170e1e02642690be0ca6acd4_JaffaCakes118.exe	92
PID 2232 wrote to memory of 4828	2232	84066d47170e1e02642690be0ca6acd4_JaffaCakes118.exe	92
PID 2232 wrote to memory of 4828	2232	84066d47170e1e02642690be0ca6acd4_JaffaCakes118.exe	92
PID 4828 wrote to memory of 3864	4828	wscript.exe	99
PID 4828 wrote to memory of 3864	4828	wscript.exe	99
PID 4828 wrote to memory of 3864	4828	wscript.exe	99
PID 4828 wrote to memory of 2404	4828	wscript.exe	120
PID 4828 wrote to memory of 2404	4828	wscript.exe	120
PID 4828 wrote to memory of 2404	4828	wscript.exe	120
PID 4828 wrote to memory of 116	4828	wscript.exe	105
PID 4828 wrote to memory of 116	4828	wscript.exe	105
PID 4828 wrote to memory of 116	4828	wscript.exe	105
PID 4828 wrote to memory of 1248	4828	wscript.exe	108
PID 4828 wrote to memory of 1248	4828	wscript.exe	108
PID 4828 wrote to memory of 1248	4828	wscript.exe	108
PID 4828 wrote to memory of 436	4828	wscript.exe	111
PID 4828 wrote to memory of 436	4828	wscript.exe	111
PID 4828 wrote to memory of 436	4828	wscript.exe	111
PID 4828 wrote to memory of 2444	4828	wscript.exe	113
PID 4828 wrote to memory of 2444	4828	wscript.exe	113
PID 4828 wrote to memory of 2444	4828	wscript.exe	113
PID 2444 wrote to memory of 4432	2444	cmd.exe	115
PID 2444 wrote to memory of 4432	2444	cmd.exe	115
PID 2444 wrote to memory of 4432	2444	cmd.exe	115
PID 4828 wrote to memory of 4884	4828	wscript.exe	116
PID 4828 wrote to memory of 4884	4828	wscript.exe	116
PID 4828 wrote to memory of 4884	4828	wscript.exe	116

C:\Users\Admin\AppData\Local\Temp\84066d47170e1e02642690be0ca6acd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84066d47170e1e02642690be0ca6acd4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo hi
  2⤵
  PID:1720
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" C:\\ProgramData\\sdjbdosxmt.js
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rd /S/Q C:\ProgramData\pozi65
    3⤵
    PID:3864
- - C:\ProgramData\kbnjm\7za.exe
    "C:\ProgramData\kbnjm\7za.exe" e C:\ProgramData\cr95ng.zip -pvkd -y -oC:\ProgramData\pozi65
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move /Y "C:\ProgramData\pozi65" "C:\ProgramData\VkontakteDJ"
    3⤵
    PID:116
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Delete /TN VK_DJ /F
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /S/Q C:\ProgramData\cr95ng.zip
    3⤵
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1
      4⤵
      Runs ping.exe
      PID:4432
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN VKDJ /SC ONLOGON /TR "C:\ProgramData\VkontakteDJ\VKontakteDJ.exe /H" /F /DELAY 0001:00 /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8
1⤵
PID:3416

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VkontakteDJ\VKontakteDJ.exe

Filesize
6.6MB

MD5
8909bd7fe908835145a9a0a749e1d110

SHA1
4b5ccdf348b9417073d0ceb3c33793b34fd3594d

SHA256
87f4f79473aaa8538814f7c5dbeadc938e491d736a3d11cba747cb1fc91dc7b4

SHA512
686dee7ef69c4bb1042c4056ddef3573ef0f1a1dd8af6695b128a4e4964cd2a88f83dcb1029d12b230f07e363603090cf5e113711bef39fe7da9ca456fb1bfd1

Download Submit
C:\ProgramData\VkontakteDJ\uninstall.exe

Filesize
490KB

MD5
e127107063431e8186811bac98ad0b6e

SHA1
27a508f87621792f102ed1d97e7689801132c13f

SHA256
c04672f2cdcba81fb8a6d9a0e47b3f28605e3b020c8dc37657f932c7d981dad9

SHA512
c88edce031d5d73a4f443dc31e2d204f650f876ad2fa517d3e47581fa48cdc93afbb4941bdc6f0b44060d209d59406bd855feadf0b18de30f27c3d61580b0661

Download Submit
C:\ProgramData\cr95ng.zip

Filesize
4.4MB

MD5
a8d9303da2f0e4fda184aa53971ced81

SHA1
4c324e086b8a18e7d8ff18097acfaaa8522fedc7

SHA256
049e37f3d4ac9980a21a3b0833bc5a30183255df0cff0162a22b4206f959b707

SHA512
52627edd2ca46a4edf9231e001ce09d07ff9bba698da93a9c80de4be186bd479b036763cc59992a40f23467901993b6f4804a7231d730b4e007f2ca14bb937c5

Download Submit
C:\ProgramData\kbnjm\7za.exe

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\ProgramData\sdjbdosxmt.js

Filesize
4KB

MD5
32ebed61c8f61c18b2383cb9511588a6

SHA1
1ea5052c738780000cbf9f6409069c289573f4ab

SHA256
a861e6d41cb838f1d90503b1d7858b26c81f43ef8beb5584a23345505dc82862

SHA512
050018c531aefaf66b937011d10519d9b7176e66d03f15f1d053be36b8560f18be01fb0a307452c592c193cfb6e81cbea90707007cd32522f9d39a0c07f64c3d

Download Submit
memory/2232-0-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/2232-31-0x0000000000400000-0x0000000000D31000-memory.dmp

Filesize
9.2MB

Download
memory/2232-33-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads