Analysis
-
max time kernel
141s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 13:45
Behavioral task
behavioral1
Sample
a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe
-
Size
227KB
-
MD5
a5dbaa806f205ed76b1e389ef7934c06
-
SHA1
deaac3f62970e4a3c3087c21eed44c6899560ea2
-
SHA256
16e2e3285781170bd60f881927443d71c0c0cce4f5bfe8b1d7e2ce844ce4c646
-
SHA512
8895b86c99882b2e77d55a71b27812d85c3bba720b102a7ae72454c27721951cd6ec2d525d9d636580c7c7b914a42a03c84f97b13df19ec909b043c9d789a54d
-
SSDEEP
6144:KifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRV1C:9fk6kDqHw2hmxlrz2HoSRu
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/4248-0-0x00000000002A0000-0x000000000033E000-memory.dmp upx behavioral2/memory/4248-181-0x00000000002A0000-0x000000000033E000-memory.dmp upx behavioral2/memory/2700-182-0x00000000002A0000-0x000000000033E000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
Processes:
A5DBAA~1.EXEdescription ioc process File created C:\PROGRA~2\Zona\utils.jar A5DBAA~1.EXE File created C:\PROGRA~2\Zona\License_ru.rtf A5DBAA~1.EXE File created C:\PROGRA~2\Zona\License_uk.rtf A5DBAA~1.EXE File created C:\PROGRA~2\Zona\License_en.rtf A5DBAA~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exedescription pid process target process PID 4248 wrote to memory of 1592 4248 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe cscript.exe PID 4248 wrote to memory of 1592 4248 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe cscript.exe PID 4248 wrote to memory of 1592 4248 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe cscript.exe PID 4248 wrote to memory of 2700 4248 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe A5DBAA~1.EXE PID 4248 wrote to memory of 2700 4248 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe A5DBAA~1.EXE PID 4248 wrote to memory of 2700 4248 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe A5DBAA~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\cscript.execscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs2⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\A5DBAA~1.EXE"C:\Users\Admin\AppData\Local\Temp\A5DBAA~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"2⤵
- Drops file in Program Files directory
PID:2700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=2792 /prefetch:81⤵PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
8KB
MD528d37f2fd08205fff052877e5c32333e
SHA182fdfa1736fc9364fd7e1ad24f90b9ec92f2b282
SHA256af3a910f97deb0b05248a19ab2c641d7decd2e67c3659da4e787ed40df1ba739
SHA512a37dea02725f9019778f27e7ff1b8fbeea3e3b0a09b840cd25a949bbb402e1761590b5f1fe82f1378c1b2c3d7ea50d9980a5f39e1711753d0e5ff0c2d975558a
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
9KB
MD5289dd77ecc46860e464ed64581d56fbd
SHA1e0e3f59d7b18ec3354f4956d95f855f640017a17
SHA256992dd6b601acddd8aaba18cc682da4e7686120833a36e970f778592b450f5c16
SHA512104b72de8ac711389287a49556b6f74f5e49a0d859dda08cb070a3c35e1da68bf5255eab572670420b6ba7179e3651602b92b74dcebf375b0b8ee8e77c890934
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
11KB
MD5a82ad0b6b28ef957a645865f05fe5705
SHA1d6b8af994450368852e067b58b9c1b532067f8d8
SHA256b066afdff965d84bd70d7111dde6b4e444767217ec262da4d4b1e0c5bc200951
SHA512ffdcc35acc5348336316f65934c7762a164ebe176e57d6821a576f6c3f47c857291c5a9a43f36ee8872188f06dd95126c66d6926fa8a87b81675747f3c04bbc2
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
11KB
MD5d2b6fc0d52339503cf9a0636b510f795
SHA1a5f4f34f82b7f20baf5f699f5eff8559767b7cfc
SHA2569ef6b064ed64f3a82b04dfbfabdf2898976fb8a33d74c0974429f7992e37fd3b
SHA51265ec844a59befbdefec166b9350a0f156763b224c9e3bfd42996820f87568aa16d337eeeb62f1746fdcc3a9c440ffafb59ee864d0e1f8aae6ea6256b7f2adfcf
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
11KB
MD5650686fa21f1d96b461482f5edb8356c
SHA150441de1e4960f18ec19d51a2e1d453b8a7553af
SHA256aa261f5cf4232733f1bc50a3398921d8bec08564918de82d89da73f68712b6e3
SHA5129ecde024a5a03f2d23379a9f79b7cf6605b1fd65791f2fd2b3957f973fe1d973508d8406f4ac257e05ab4a076c1df5bdc6d0db15b6ec1f99c40a096ddc9207ac
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
11KB
MD5502d64ffecdd38efe3d8c5b5cf557ceb
SHA1c5cbf7c00feb2ea3df665baf3680ecdfab3bd2dd
SHA256f8a9ba67f6f75d798ebe3396c1d2097355cdd66d8855573afc9bdc2b179c9500
SHA512325abdda80e0457f7481e5f6af6a25b9a2fe92f4d575a17330c30ef0ceb75b7cc9dd827d352526aa10bcf1ce88ed17eb30ea45517fc30385992dc28755882e42
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
12KB
MD5d4afe3990fbe73e32cf6f2b53cbaaa05
SHA1790e2a26ad267450165fcaa93916be4983e02cc3
SHA25630759c51aa680bd057f8700556c980040abc14b2a2809ef5f48704f0aad77ed8
SHA512d2beefa848b460e469988da24ada0550b723749a591925317ab715b36a2b03cd0d3eb490d26a27864ab4c79e874ba971b4e44cf4bd225d13714ae1f9ee65bbb9
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
4KB
MD544c33d09f9960145648e5db41644d47b
SHA1fffadc213cdb83c657dda8f8ac5da805753142c5
SHA2565c06e21981e163bc8010bbdac2ee0e2d3a1331e3e10572adfa67b048ddeb353a
SHA5126f0b68264258b6051f179967c20ea4ef637f87fa1edbf26be2a0f0826afa506f2cf8518ebe6c08e63e9b56d560eda4bbd0ce081ca9e3210d9b73c2b7a96c34dc
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
4KB
MD564093e8205e577084927d9834d1fa2f4
SHA188837f0924c38e825617983084b9e91677ff8547
SHA25651018ea82e260069e9423934fff291e5e18e3b01d69765220b5b4e3e56c1739f
SHA5125094e1e513a0bfa1e36bc907e61af0251ff487f8b764e4ff0586250003caf93d413338429cd96e850308f2118bbf7421d2d43b31f2198dc70b113b466d621731
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
5KB
MD5ce7807315aabd17b7a57b390be79b3bf
SHA133ffa87f635063528c7dfd875ff57c76abdd5917
SHA25676414ada4e4a69807ace1d92815c02e526a176c9c7f5913e80f62b952df4fba7
SHA51224f655a036f758cd290a8061881192b5b77276f0284d486accb5c36b9456dee508a523d87cd9af6b1ec390c3790a61c96d31d9b970f691587fbe9628b1ebfbd8
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
5KB
MD5910aa6b047cbf4a10aaced0f874eb3f3
SHA1a6ff9b9db996c3e8c921dbe5a8559b6a0f5f7c23
SHA256ae80152b4e65da5ca6fe5dcfc81fb64b1bda1e738e0d05c3c5943da39efa8673
SHA51241d8269fa02c066964d2092c4ba458b5078057ac68a99200ff8c32223b502dfc9ff4d0aa04e915b4af444654b1069146b3507394ca8a6272fe8b5fde49f2eaf5
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
2KB
MD5b5caffe9554ef05eabe00675af81b79c
SHA17bbc34ea2e94b1737d336c8099411742713a1a44
SHA25683e35d65a932b11a2c30116d2d80194b287a77099854f8bfd8c31477f3ec541c
SHA5129f77a140f5f6b1a5aefbd8c711f7dac8551dde1c54dc0aea95f3fd8b70f218adece6825ceca5889d0e6d0bc1bdad20ff3f03ef62eac5d76e46cc169f6d557017
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
6KB
MD5895f7f122b95eee031e515743b955117
SHA178a28123a6317009687b158bd2d67ba958d5f392
SHA256301a2ad363eae9dd2e5abd3cc1cc20330e40698a70ca9217ccf174961ddca450
SHA512b8830e9e54582208d9730803205a01d24b20962a1657ffec173605cbe3814eb9032107f75b38bab55f75df7f6cfb402d53c7090f2dd8637c35cdd619f32a2eff
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
7KB
MD543984cb73563d6bc6af22d51dbdfd918
SHA1e77642cf4f4ca655ef6ac62e18be6ef73fdd6ae6
SHA256d2418fa57372921bd7b5900b46faa00a2c4522bf3e8c941148328baa48917c5d
SHA512d17e8a9ce0c1465393bfaefea6a70a8c129022dfcfcc794dd3ebd94e1af795259aa77af5eddd61b53ecbea4abedc3a13a9b387d38118d5c577659199f7481d70
-
C:\Users\Admin\AppData\Local\Temp\hd.vbsFilesize
245B
MD5d8682d715a652f994dca50509fd09669
SHA1bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA2564bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca
-
C:\Users\Admin\AppData\Roaming\Zona\tmp\133627599569060181javaSetup.exeFilesize
153B
MD5a53e183b2c571a68b246ad570b76da19
SHA17eac95d26ba1e92a3b4d6fd47ee057f00274ac13
SHA25629574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7
SHA5121ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be
-
memory/2700-182-0x00000000002A0000-0x000000000033E000-memory.dmpFilesize
632KB
-
memory/4248-0-0x00000000002A0000-0x000000000033E000-memory.dmpFilesize
632KB
-
memory/4248-181-0x00000000002A0000-0x000000000033E000-memory.dmpFilesize
632KB