11636050f382b2dd219fe2344ae9b076230f72fb8b7e4ad03fbdfceccc9ea097

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2577c5b626ed98ef8e5a6d8a2b5d252_JaffaCakes118.exe
Size

227KB
MD5

a2577c5b626ed98ef8e5a6d8a2b5d252
SHA1

a95bfd7e36e051af054f168eefd7b6c8457aedef
SHA256

11636050f382b2dd219fe2344ae9b076230f72fb8b7e4ad03fbdfceccc9ea097
SHA512

665962f3bb22cd0bc8251be7a89169904b821c8cf2690deed0bbc45decd6215b3cc0cc0c93f43afb7adf9f44de059bb43e9e639c32185d7f3171a603ca1f8267
SSDEEP

6144:5ifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVyd:0fk6kDqHw2hmxlrz2HoSR0

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	a2577c5b626ed98ef8e5a6d8a2b5d252_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1668-0-0x0000000000AD0000-0x0000000000B6E000-memory.dmp	upx
behavioral2/memory/1064-41-0x0000000000AD0000-0x0000000000B6E000-memory.dmp	upx
behavioral2/memory/1668-89-0x0000000000AD0000-0x0000000000B6E000-memory.dmp	upx
behavioral2/memory/1064-92-0x0000000000AD0000-0x0000000000B6E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\utils.jar	A2577C~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	A2577C~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	A2577C~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	A2577C~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 4148	1668	a2577c5b626ed98ef8e5a6d8a2b5d252_JaffaCakes118.exe	82
PID 1668 wrote to memory of 4148	1668	a2577c5b626ed98ef8e5a6d8a2b5d252_JaffaCakes118.exe	82
PID 1668 wrote to memory of 4148	1668	a2577c5b626ed98ef8e5a6d8a2b5d252_JaffaCakes118.exe	82
PID 1668 wrote to memory of 1064	1668	a2577c5b626ed98ef8e5a6d8a2b5d252_JaffaCakes118.exe	86
PID 1668 wrote to memory of 1064	1668	a2577c5b626ed98ef8e5a6d8a2b5d252_JaffaCakes118.exe	86
PID 1668 wrote to memory of 1064	1668	a2577c5b626ed98ef8e5a6d8a2b5d252_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\a2577c5b626ed98ef8e5a6d8a2b5d252_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2577c5b626ed98ef8e5a6d8a2b5d252_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:4148
- C:\Users\Admin\AppData\Local\Temp\A2577C~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\A2577C~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
fb84b1404b29ffd8bce308a4b735f421

SHA1
e945bc78aff9dbbd30dbc270bbb192c9ebd75f52

SHA256
9b5f5dee1662f35edc3230e6afc3e20f9e542f9f2fe528e4fb83c5414b5bdc35

SHA512
b456baceb134fb50c96abb724b4caaa5680029dad1d9b4b3b81dbe3be6e5dfa38b1a7d9e847a248c84cdea2abbaaa7be380fa98ca4e88e17be7c1950d9c6ebb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
4ff6e273d823231ffbf0a07d176acc35

SHA1
c29d0a6691d244b2a5891d8f7607cc3e37c07712

SHA256
7d3aff7e21cde897d14ba11afe307339cef8fcc441a51a48da86cfaff1acc778

SHA512
7ddf9a464ece0ee2c90a34c3e61253fb07badadae2ca1fc4bb24a0928fb6d112374ca9ca58f97cfa41a768f99f84090aed40e6bee410959827bfefcaf9df6a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
acbdde58b1311d08a318403ec6b7a37d

SHA1
e87161610a4f3ab4aafe2ae8a80657cae84e7ad8

SHA256
9803fdd9007fc9e45248f47b43fc4dc44afd53f8931d11103081993f9efd1a78

SHA512
073113d2a5b08b1021a1c7ee02f171c629e200f3c9e0cab3a93f3da16e23d222aea2b031f7c46335b5547ad9f00f8dfae21936f3b7875f2324f6eb6bdb44ba3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
0cc741bb87ef4ee9379b8c3143763c02

SHA1
275928852f0f15844de7f60b2175ec07181a1e3b

SHA256
3a5a9c0638f64d5c6ca490e36df41326470bd9bd3b4582ad9dcea6771f825d0e

SHA512
4839c75f96ef29c3ff290e7603340a6c5c156261864d5a4790026371274fefa1a9175c7f9e89a05c0e66cfa13a0ce904e076d224b6bb99aa7977c83eaf909d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
8ccd5f936c478d820645c4d6e6642c4c

SHA1
581b46d73ea2724e3096136626548fdc39137e0d

SHA256
91b130fd575ae22c48532f9abd07ed8484e19b38f9d6f033939d498cde0d7f76

SHA512
fda012e545a8c6836a3abce149cf56335db7ca75fc447aa07ffe151c9e4c3973e9734d66667465c84da708819baef0318a08e1618bb16d2fb45e7cb47aabca38

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
c11d61d6f0cf3118bbf7765794d53cfc

SHA1
6d0484ce6d4b5f5ded9712341bfea6e9d80a9eb9

SHA256
adb56ec4dc496cca7658ad5ec74b2a8513717e3ad3eeaa81ce89ee8133d36b4d

SHA512
534e7d3a2a0ef6e08e94413723fc4b0dbbad79cdb01e72327852707b26757f0d3b66cd2e62871ad8c78f0587d0a8196aecc749e7f5a59fea82b49886d912af82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
8e6369d358e6e0b38b991196b9047431

SHA1
cd13bf927d13195c7eab3b132314ed1e71a2376b

SHA256
84260d918f2e5881388ebe248b85bdcd29932bc4273a9733438be01ba01df234

SHA512
05a767b48130ff255396c9fc454d7ff090002d7999f8440a5aae2e6a0e9053942298319c8e8fa7665333c8c5029c3c2542fd3b40b4f4945fa807658c20711800

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
14KB

MD5
4949e4fbaea44807bf53dfbe4ae07ac7

SHA1
6187fd3589ad9c18126d6c6d0a56d5a00bd44055

SHA256
d2685906a62e9752313fd3e9c3cd0e81043faa1204332b2bed61d8f485a94aee

SHA512
6b9b0a294e30d39d899c7535fd6b56f7d803e095c5bb3ab4b132e48619b65676f3b5e442ec7053bb05d2c05ad01dc5daaf5165b2626b3563d3ae4c35283455c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
16KB

MD5
a603339a7e6cb49f2271249534217521

SHA1
2dd4d7d5f171028beb2ecbb594dffeb6a50c3d1e

SHA256
f74329784c9a906296a6b8ba79b95486bba0ea02d6ba23bea2550560250aeff2

SHA512
10459888706b7ca1d749eef7160e569cc1f2b74031f63e90a0d1212e70715cf630415eafd78fa387be614e1443b7c7b3874e8cdca6ec47797275ce83204f9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
99b3784608155d09ac88f3b6a1ce15e6

SHA1
dbf369656453d4a22fdc9b5c398e6abc1a63d734

SHA256
65abd2bdca952914faaf8d171a2015d62bff2caa60a4503790e813bd6590fa91

SHA512
bc31611ce11841cf3a9e2cfcc04ef2433fd10dfe2e4e5dfe655f9a65d898be8840dd1c3c3e74d37616334884302b743f2b3eee04baf5afbca981a520b504d4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
3cc49844fb226a2db8fbbf4357decd5e

SHA1
ed832fe1f098f19047889bebaf9f323836600d92

SHA256
e03d0887e22b08270df1fa3c0a7169b4dd54a07416942950e48c1db8bac7c632

SHA512
a2b0483acef61439d930351d470ac317505896d832cebfdccb655883aa4e8025560f914f9bd9b672585aaee153316496879cbfae73f14c0259fc077e6f4d5c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
30b6be912ca8cd74026767b517080c1e

SHA1
a0c1b256a923c7e6aaf1da4e43b6d4ee9c7cd227

SHA256
f786a8106b3fc0ecc4a00d65c43ab9ab146f776d6b78b2c99e50f309c1838ecd

SHA512
95732a4cd47958e783da2ce00340f37928185ef2346fc7a966e8df6ff2c94fc4f485282c6f42144108dfd8eabb98a83784e56a3a59cd25d41f0f383dec4b0094

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
f74e28e851afd86fe8978336988f27db

SHA1
b696abee145fea4b3c0f1cda42e58faa6224eb04

SHA256
d507fdcc0ee50989ca3bd170082e5d10daf7dd1fc70a9447905b8fe778b3b4bf

SHA512
2f500c7d1b181578ea8f81bcedf260fab0b006b9a1834dd4671d5a3e1d982226f3e62c0397599b9db0e950c1b4b277e79031001245844bb76c0aa2c2b9915ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
616B

MD5
b655da15a61249f9cbaaa18dd5501de9

SHA1
4dcbce3236bc79e65cb584c89a223257c0e871b7

SHA256
70676662b27710932c8794d83e69d69bcb1125d4d4bec198fbc06f0a0898b2b6

SHA512
b491fab1d2a28e789c95b1bb3b79a81605bacc0568cb2b9bb1360026cde203cbd748c19ca24545748dd48045e629bd0ce3926a36fd28871bcee588a3fa73a253

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
memory/1064-92-0x0000000000AD0000-0x0000000000B6E000-memory.dmp

Filesize
632KB

Download
memory/1064-41-0x0000000000AD0000-0x0000000000B6E000-memory.dmp

Filesize
632KB

Download
memory/1668-89-0x0000000000AD0000-0x0000000000B6E000-memory.dmp

Filesize
632KB

Download
memory/1668-0-0x0000000000AD0000-0x0000000000B6E000-memory.dmp

Filesize
632KB

Download