Analysis
-
max time kernel
141s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 21:59
Behavioral task
behavioral1
Sample
9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe
-
Size
227KB
-
MD5
9c12a3fde88521c3465f88661593440f
-
SHA1
9b00ff3454e8689313af43210287c94be609dc33
-
SHA256
220c33050c7451f14e9ab1de25aa8087109c40b4703fdad852e25c15e63a278d
-
SHA512
f56f610b9e9a982fa7c2aa0e6ff6ee14a240195043f695a4551a8283e17d35a917c9b226343dbf363609ab3581f718f16600ee4a9b4704eef617d3529cd51da9
-
SSDEEP
6144:1d/oKyhlMI4s9hs9gqt8sHE8Ywe3Mox+pqoSSV9i:1Jhlsnstn+LroSSO
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/4524-0-0x00000000001C0000-0x000000000025E000-memory.dmp upx behavioral2/memory/4524-95-0x00000000001C0000-0x000000000025E000-memory.dmp upx behavioral2/memory/1996-103-0x00000000001C0000-0x000000000025E000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\PROGRA~2\Zona\utils.jar 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe File created C:\PROGRA~2\Zona\License_ru.rtf 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe File created C:\PROGRA~2\Zona\License_uk.rtf 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe File created C:\PROGRA~2\Zona\License_en.rtf 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4524 wrote to memory of 1988 4524 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe 81 PID 4524 wrote to memory of 1988 4524 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe 81 PID 4524 wrote to memory of 1988 4524 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe 81 PID 4524 wrote to memory of 1996 4524 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe 84 PID 4524 wrote to memory of 1996 4524 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe 84 PID 4524 wrote to memory of 1996 4524 9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\cscript.execscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs2⤵PID:1988
-
-
C:\Users\Admin\AppData\Local\Temp\9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9c12a3fde88521c3465f88661593440f_JaffaCakes118.exe" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"2⤵
- Drops file in Program Files directory
PID:1996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5e51a408f6fb802b3e668a372abf52a74
SHA19420cfdf6019085fc6bdc1d964ff1ea100592653
SHA2560402a59247a7125303e361e8772c7f56a12fd257a666a2801ff8df2795c2ff51
SHA5120f57890eebcd3f10c725e6c134b4e104410502eca9e2575a3577314b182821993559787e78888b29d0bfedc8d3ecef0aa371c4206ee0e9c2c8102c9fdf1e3bed
-
Filesize
12KB
MD5ffc571f9381662f33cc77608cb8b700b
SHA14a49eaec067c2a81a56761b98225363867095796
SHA256b103e6f72733af1461a7422eb5448e7947e04c5b63153539ccdcc4164a0ffea1
SHA512fc8be3aab1879d2bff55685a30891d2280ff0229647c992e47e5dbd22a1b9a07997862b17e95c854c0fd6bd8af7ffc60b1b5a8681bcd2f8f8295b52eecee9ff0
-
Filesize
12KB
MD56182bc489b381dea34f9a2e38f1a629f
SHA1019fb9fe1d0e835a87331ef37856481c38b06772
SHA2566718a239684f041d1ab7159ae466bfd9fec271d7b9a6070bfa0008e814216405
SHA5124ba990b4e5a394d4304ec8cfd64bd71bc45342353efad8a581547d75f09ab3fc356b32f7f71584f6e1ed813101329fd85e45c3f5b299c18f1f6ef44c352c3d97
-
Filesize
12KB
MD5c995925252382873d47806ea07f9bd7c
SHA1730cc812475cd719007d7eb3868685b0734857cf
SHA256ef67a7b64b39e703b9cecc9a261914e7ade8b7fb0cacff54555bb350f9100e1b
SHA51239143c8bc7ad8ed5692f051da682d3f87d86a7452f9d285f36475e5b4291ab9a2b3413061c417fd36329328d7e7e682cbbdbc729ca220df43d8f361375993c15
-
Filesize
14KB
MD57941c09c6e41a0caccc3be708f05c07f
SHA1568933b3d80a2874a4d084fe67dac5fdf72b28c4
SHA25694f27ec2d4f1406f43b53c7d04283352766118ac840adb219a796d8dc18361d0
SHA512ef18d1e1dafcfd070fbf60517740eac9b556abc8df853b7d6214c29086346385613406858e8b6f1713907a29ee3c4c708bbae02ab4508ed6097c302799c8f42b
-
Filesize
14KB
MD5584c5ab3fae04545d1f93ede0c21e9d6
SHA111e3d65b9d22f2e92af0e89eab315ca2b1a47caa
SHA2561b45e2b070791a308774f581726367b78dde1aa494d9a4899f8be0c64cf70fc3
SHA512a347e4a188fdfc27f0160bd77b755a2984eca259404e41257093e781eb18b29adc456a504426e6f7776c0397b708b482cb335a3fa27562ce420ed18e9b8264c7
-
Filesize
16KB
MD593d12c0695f6c06d9eea3379f98bfca6
SHA16248a50cdce5d394a3be3491beff7743f394c62f
SHA256647c8c91071cf1fc90c2312c1c31821936c8b76601a9fc348f66f2f16ef36ff6
SHA51204ccdd646df6d9d29bede67ce4fa7930d31a1dadae3d61dcc90cd8766bfef8089795dd9ea8293d9aabaecc51f9aa817d285571ced8fb81dcd8bfc7aaf9fe0a7b
-
Filesize
2KB
MD565de8e5ee7c2a0a84688062e311c8360
SHA16fe1dcb0130949bd4925647eb2a7cdd818b6ab01
SHA256722c1deec0b94f454d5c68c77efa406942c1596ff8e2ac118c68ed6f93606f30
SHA512f0942c177b5e8338628814c58139255e78d0341bb12007ec1692f8599ea5dfde5104d0e4897708ed32c37849bf61e0a6136cb67d66b47e42ef76572dcfb79bab
-
Filesize
4KB
MD50b08ac785ce9c8d4ed923a75a9a9487d
SHA1e91282210eefc5c457c4a32412d0a6dc8e7fd55c
SHA2564ffde06e7f717daf99d71ce049caf4074bb384579f47cf1ff7e4b25cb9af185f
SHA512b8ae746eeb5f45f255a9065f1fd251a7d2b74d96f40b0244a1807163ce475d5516e36a6cad8f8ffdc9a0fa3d3a2bbcf22aca85e2cb8de85cb50878c59f740ddf
-
Filesize
5KB
MD5f582b4f9503e14dde5d33c3e3b991ed6
SHA1332398f37bb987b7d83cecf85a244cf65fc2f346
SHA2562eb1c05e9c7dac90b8d8ac7f76978d7cb41ac2c8b1309f076318f441c9d75ac1
SHA5129ae147b36bcddf86749d42afa7623cbe820885d3adb9fd0b9b9bcf19d2ed91fd90aec269531c851633c235e9a34ff58645aa3bd3bc5ce1f81cdf2b96d05ac5ea
-
Filesize
5KB
MD53730a9ee358efe11c83da58cf2691982
SHA19c7a9f4bcbfd173f55ee6e847e6236a34ad3b5c3
SHA256e3f9d6ea2b2bbf5a671d0b9d50575e404d1ce593ddde5c5a0649f8bd06739937
SHA51228fbb76f807fc4550421445cdc8a3d06b6c83972c998253689c53d9c40a50324b643406a5784028cb41180aa0e4acf265df2a735d21420aafc6065a10ab28e72
-
Filesize
7KB
MD540580f1cc06093cba1d70af3b7d4ad10
SHA18c7302de6d449747072d06d5af735c43af12ae4e
SHA256e186ea1234781e5cb3bc4e0b9d36d8cc6b1e25271ba83575c59ce0607b46deb5
SHA51230f0366388c681f2a8363596f4a81a0a4e6591744d10902605a4938a1dece830a76b746e2624d53a7417a6c726ce380ea821b294b6802e49d42d286dc8e693ff
-
Filesize
245B
MD5d8682d715a652f994dca50509fd09669
SHA1bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA2564bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca