8df05e255ce1317db4abb9d84c00917f23d3d0ef9ca0bde0cd05e1d7d50efed6

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
Size

2.0MB
MD5

97577a3f1c7b783ada4b7dbbd5d7fedd
SHA1

e1538e10460721c1655c3006f6d8c1918209dd3c
SHA256

8df05e255ce1317db4abb9d84c00917f23d3d0ef9ca0bde0cd05e1d7d50efed6
SHA512

1cb3d2a1728bf5fe1c67a0b0f3543f39a2f45beb041f130e02b535a69c5320600480f64f19b3041ca61c3ab114588c27272cbe8ad7ce72bfc5fbe8d3bc5d4b26
SSDEEP

24576:/IHaacDv8+WnR0C1NGA3u6pcpcTKIQNZLa4W5QJM7asObDSZ1XKuviJzbS9PkYc6:6aNzWRNJypLWeQ5Z1XVJk/Krxnd

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RiamgIro.exe

Executes dropped EXE 3 IoCs

pid	Process
3092	RiamgIro.exe
1796	Fawbud.exe
3612	Fawbud.exe

Loads dropped DLL 14 IoCs

pid	Process
2148	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
2148	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
2148	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
3092	RiamgIro.exe
3092	RiamgIro.exe
3092	RiamgIro.exe
3092	RiamgIro.exe
3092	RiamgIro.exe
3092	RiamgIro.exe
3092	RiamgIro.exe
3092	RiamgIro.exe
3092	RiamgIro.exe
1796	Fawbud.exe
3612	Fawbud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RiamgIro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	RiamgIro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RiamgIro.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2744	ipconfig.exe
2968	ipconfig.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2744	2148	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	81
PID 2148 wrote to memory of 2744	2148	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	81
PID 2148 wrote to memory of 2744	2148	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	81
PID 2148 wrote to memory of 3092	2148	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	83
PID 2148 wrote to memory of 3092	2148	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	83
PID 2148 wrote to memory of 3092	2148	97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe	83
PID 3092 wrote to memory of 1796	3092	RiamgIro.exe	87
PID 3092 wrote to memory of 1796	3092	RiamgIro.exe	87
PID 3092 wrote to memory of 1796	3092	RiamgIro.exe	87
PID 3092 wrote to memory of 2968	3092	RiamgIro.exe	89
PID 3092 wrote to memory of 2968	3092	RiamgIro.exe	89
PID 3092 wrote to memory of 2968	3092	RiamgIro.exe	89

C:\Users\Admin\AppData\Local\Temp\97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97577a3f1c7b783ada4b7dbbd5d7fedd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig.exe /renew
  2⤵
  - Gathers network information
  PID:2744
- C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\RiamgIro.exe
  "C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\RiamgIro.exe" spa="C:\Users\Admin\AppData\Roaming\PiittePol\Fawbud.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Roaming\PiittePol\Fawbud.exe
    "C:\Users\Admin\AppData\Roaming\PiittePol\Fawbud.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1796
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:2968

C:\Users\Admin\AppData\Roaming\PiittePol\Fawbud.exe
"C:\Users\Admin\AppData\Roaming\PiittePol\Fawbud.exe" -cms
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx347F.tmp\GokKae.dll

Filesize
157KB

MD5
4683ef5c8d0635d32de57422d9481faf

SHA1
8e76c9f2df4acd2345fea0f81c7982fa55617eda

SHA256
115e9443280a097a35e343075518c7303810b147c121881ac8255aa40d62ca24

SHA512
30293873fef4ccf6b8924ba3dcb5d48b5a6fb369e8e5feceece86a91a6c5adfe299757d8f7e7c84e435f9735bc0a6e659dced2b7a719a20a437150d9b6182716

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx347F.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx347F.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\RiamgIro.exe

Filesize
116KB

MD5
99fb02b5e8c709549b572ca088ef2afc

SHA1
28dd044a1ffed7d4f3005dc5470f71b631d3de43

SHA256
2f44957b1bcb8a6b46a4a4ab0040e417697e0821cea4d400f84f97ff88a7225a

SHA512
8e0bdbd3f404a05ecd2722db9bdd2d7487997a27d20bcbebfbf426434a0caeecb1ab03ae85aeee9fefa5fdef17163e82e96b31726668aad20731af5e69a925b0

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\RictiFahr.dat

Filesize
1.2MB

MD5
6e37162f339b0febdc7e20764b4c5c10

SHA1
8b519f4414ba36c57bc755c0b174cebcfebfcd2f

SHA256
0bf02692903c47788d5760341819bfe175d174cf7b8443bccadc96d64d89170a

SHA512
b8a98c72437abfb69c1f4816e15a9e9d72cbeec59c4e10e564531e7f0a827342f9cb9d2f7103c4141a86f041af2504695caedee821ae86f57c058d0c6380d153

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\RictiFahr.dat

Filesize
1.2MB

MD5
ffb0ef3bf23f1a30171edc95f1b7b30e

SHA1
a863db9f08ac0ddb04b24ac2b327418fc02c03a1

SHA256
44d2b37b8d0f5631f8cb78d79835024f9e409e2ead05a875705415e78754a1e9

SHA512
e5692ab4de4bd0db0358c52ebcaa7c38e81b8b3ab6defc36f8840e98252a8a1773112f7153e7920b8d9ba1d35be80c16a2a32da462b073e662750e6c4e4d2a7a

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\libnspr4.dll

Filesize
288KB

MD5
74485152d7f2c06fe413f48c7da4ff33

SHA1
a07c30fedc80e5f4c2cc0be5202d64f51b015b44

SHA256
3c019cb209ba4f01015ffbb628d988735d2c5d9805abd7dd4dab441ea82eb688

SHA512
43b3b3bd5d5f3afd845cc79d68e942836f95f708eac96cd84d09b774d8f92f772b2353a273185b6be336603b5b283a486756e95ff26bb1ecd4fe84667cbe6f52

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\libplc4.dll

Filesize
47KB

MD5
08bacf2967fd8ea468c69f6e8d31b914

SHA1
eec97e847be6303013e468979b861ff74d4279ed

SHA256
2f143cac2efdc21b98620338c6f0404dfce812ee5741960ff68671ed0b0f3a9a

SHA512
2550e9481d2604b9c62b97ede184af4a8b2db1333b6707e01bc67b3699f72b0b764a238c86801d4457007e31977a181007f67c300f7c47899d4a771d05c2e97a

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\libplds4.dll

Filesize
45KB

MD5
56c1c79274ef5728b1f50986a5a8f22e

SHA1
32f67170194ce27736e564b5328dbab6c4be33b3

SHA256
8720171993fc29c517a8124b8235c2c5d71b0ae4c236685ba202088326d780de

SHA512
6198edad58ffbb9109c827de704a6d67be44300e7bf11d5af427e568388a9a746ce58e6c09babd65f6cf7dbec9520be6c9d92c7a4724c0892e044c38a9e2ce3a

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\nss3.dll

Filesize
834KB

MD5
9721a913f9a997a62c532d72ed3e7b8d

SHA1
2e1f33ec48938eab775f6775e4de93150b39b46d

SHA256
4515d073983b96bd48d2601fb22646d72aa56aec163cb172e6d06dd55b8a9e80

SHA512
7363b2192a3b0b5f946c14983b197315632907790871dd795b2d995d8cf924d9d3ad7af2c3b465b70f5bb110ba8aaef1412d2cc33bedaeca8c64e2a523678ad7

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\nssutil3.dll

Filesize
132KB

MD5
08b59a1793e8cd6fb085271650f8b5d0

SHA1
3182956535052ab496bc92f59167a7e114752b1e

SHA256
f0c14914986be4dc13a72fbe509db10a4c24c55e545471d1e4dde2c1d4ca03a1

SHA512
e2526879a4904f9e96b5f9422a088bfc4811f5ed3567fd0ad4021c10e6b796df10c61734cf59a2b2b36151fb1451660283284f97d7ff95eb3b78d6340f1cd136

Download Submit
C:\Users\Admin\AppData\Local\Tempfolder\DomriuAdoej\smime3.dll

Filesize
129KB

MD5
88f553be556ae62c59b3a3fbea81987e

SHA1
166abd59cdf04380b939c3d216b514cbe09735f8

SHA256
741bf85f9011be7f57df51a409b9b43b45bed0329d14cedc05d0f84e60c66006

SHA512
d27e0ea06245782960bcffd41f9afbd9a7fe3bbb43f15eddbfa083568b21cc6dd15c86686fb597a0bf05d2bb4e76332eb7f28aba82e6a3695423f1458fb924c4

Download Submit
C:\Users\Admin\AppData\Roaming\PiittePol\Eeiuwyn.din

Filesize
169KB

MD5
d16e855812afaeea28873c9189eda724

SHA1
b9503913c421fb3255cd99c4ca52ddbbc7b3844e

SHA256
b90506d662c47bfee27fd388ab59a1439e77a9b45610348cfba0d74cff7ab7ef

SHA512
a935ed4441c2701413856250132f649f0e8149926025f0d4f614a36c5bd55b2ed1be204e7753bb81643c5050d053f26426bf1d25aa16c5a63b047fdc6cdf9ada

Download Submit
C:\Users\Admin\AppData\Roaming\PiittePol\Eeiuwyn.din

Filesize
169KB

MD5
a7cbb4fa9913693c90bfc15d1d3c5dd4

SHA1
f7fa50fd2e4a180b89a2e2c01ed9fb78f80af94e

SHA256
98be1238fdc651d8f5d72f7bc8c440397bfe3f989fc59bc49c50b10dc2e23d59

SHA512
0facf393c1998a5bd3e891cb06f34b37132927a67af85bad7c384f6af3b2afa93e674b710fa6264d41a6ce844314bafe72426500a5987c9bc0b8e4a82eaa15cb

Download Submit
C:\Users\Admin\AppData\Roaming\PiittePol\Fawbud.exe

Filesize
122KB

MD5
bc85fdd52ab717b7b1c26b08e37d2d8e

SHA1
074655f68be58b8c749e88783a3d23cb047e5259

SHA256
fd46b2b4c99710d160699e4c9655473a6ee0753da09daf6a963db64e0cff1cc2

SHA512
20f4db629f4d0ee887b2e152cf07d49b0f2ed0e3042f4bb5e19b873d174ccabee6cdc8ba0af59b0c6f8fe74216de599babb00805e1d6183b6831e78397408ee8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads