760f9f36837219ddb7ab1dfafb38a2a02e3fd8fdd3826bb751f7fdf66ce736a9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a84d4bf49e5e3c68c59ed1a732a7c485_JaffaCakes118.exe
Size

474KB
MD5

a84d4bf49e5e3c68c59ed1a732a7c485
SHA1

11e8b633888392f03e26c734ae5088530ae8461b
SHA256

760f9f36837219ddb7ab1dfafb38a2a02e3fd8fdd3826bb751f7fdf66ce736a9
SHA512

fd904a9ba435ba602da0b151b21385c02fe1736ed6a101d4407e43a264a6fc532426406fbccb632138f44894e76234d8902650f466c36296a2ac56aa48fa103a
SSDEEP

12288:41wOZJPedKhZPMtTVQkVX7fo+VpsZDoGLIUsmm3WmcRpG:WwExRhI+F+D6DF14Wmq

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	a84d4bf49e5e3c68c59ed1a732a7c485_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
892	CCProxy.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1084-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1084-62-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe
892	CCProxy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
892	CCProxy.exe
892	CCProxy.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 892	1084	a84d4bf49e5e3c68c59ed1a732a7c485_JaffaCakes118.exe	84
PID 1084 wrote to memory of 892	1084	a84d4bf49e5e3c68c59ed1a732a7c485_JaffaCakes118.exe	84
PID 1084 wrote to memory of 892	1084	a84d4bf49e5e3c68c59ed1a732a7c485_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\a84d4bf49e5e3c68c59ed1a732a7c485_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a84d4bf49e5e3c68c59ed1a732a7c485_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\CCProxy.exe
  "C:\Users\Admin\AppData\Local\Temp\CCProxy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AccInfo.ini

Filesize
87B

MD5
64090f24b2656d11cbf22be15e73617f

SHA1
de97841ef7243601891ebb61ce87cf62d00e8fc2

SHA256
3edaff48000cf2e2578c18d024e8424d8e16012ba7b7a9aa1565f7fbcdd6e275

SHA512
282a43518e3272ce533a6853475c58e54f7f2e1309dc27e728213334834878e2a42a12f48683cd5b7df5f63b1ef783c26f33a03b53eb5315fd58ec748a96bf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCProxy.exe

Filesize
688KB

MD5
1d7cb80dec732f2c7c36eb5a6deee464

SHA1
da09b67453e32064d9e99fa33dcf029a01aee6cd

SHA256
2b573e25af1ba0326896e3ee140169484beb4a2ebda4a6445a99783e5e666acd

SHA512
1d27a2fee9e7f8236f879bdaa3038250fb9633f0f80c0f2cf51dbe0101351fd50a26d836b19f79e422f77e106eb340deacb82eb19d4b8011c5b410d58bdda82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCProxy.ini

Filesize
2KB

MD5
7373c485a332806e5e9caefb5dc8976c

SHA1
efcb76b239dbe6d27d003e553fab58250e36fd48

SHA256
bec037b96417144cb43b7dedc0462bf482374cd5fa16c749eb3b4323a4acc3a0

SHA512
f8fce4a1d4f1ff9f2f9d3e916dbf413643efcc647abd61312828ad64c1cd2aa268f74dbe12c496e40db71f35706f102ebb563539651064df3377f0a70e2f2cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Language\English.ini

Filesize
5KB

MD5
33ba401cd6af62d0e2b7f949f01eb374

SHA1
8f33c0f502865bbaa4eecf595d06e170d94a00a4

SHA256
6fd7f3a093d8bd327a99f98e5720bd5fd4bb2ebd5fcf3ba851b8170f2d5c90fb

SHA512
1e971bf39a3b8511161e1aa22704eed06c5c2548873ef60449685319bb253ae83d5f5e381d8ee3f7e1072f1fc6eb07445a895e3770d79d474e76cd49855346ea

Download Submit
memory/1084-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1084-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download