049dfd2d3965acf29bb4ab5e2e9c0f29fd4299eaefc1ba7889aee70b55d1d6a2

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a96a1b8fcaeb8b3b8e58000b7b4bb713_JaffaCakes118.exe
Size

227KB
MD5

a96a1b8fcaeb8b3b8e58000b7b4bb713
SHA1

e8ee9baebc91b984e700ecd6a15bd8aabb1be7eb
SHA256

049dfd2d3965acf29bb4ab5e2e9c0f29fd4299eaefc1ba7889aee70b55d1d6a2
SHA512

f7f3611902ef044886d1364ebb8f1d9995ab3cf0f306b9b8c3c873871f228f86c9002df21df9a6b03fc3c83cbb38a88541f75429bd3e2150e0fa7340be767164
SSDEEP

6144:aifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVoT:tfk6kDqHw2hmxlrz2HoSRk

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	a96a1b8fcaeb8b3b8e58000b7b4bb713_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4536-0-0x0000000000670000-0x000000000070E000-memory.dmp	upx
behavioral2/memory/2244-41-0x0000000000670000-0x000000000070E000-memory.dmp	upx
behavioral2/memory/4536-89-0x0000000000670000-0x000000000070E000-memory.dmp	upx
behavioral2/memory/2244-92-0x0000000000670000-0x000000000070E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_uk.rtf	A96A1B~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	A96A1B~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	A96A1B~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	A96A1B~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 2964	4536	a96a1b8fcaeb8b3b8e58000b7b4bb713_JaffaCakes118.exe	81
PID 4536 wrote to memory of 2964	4536	a96a1b8fcaeb8b3b8e58000b7b4bb713_JaffaCakes118.exe	81
PID 4536 wrote to memory of 2964	4536	a96a1b8fcaeb8b3b8e58000b7b4bb713_JaffaCakes118.exe	81
PID 4536 wrote to memory of 2244	4536	a96a1b8fcaeb8b3b8e58000b7b4bb713_JaffaCakes118.exe	84
PID 4536 wrote to memory of 2244	4536	a96a1b8fcaeb8b3b8e58000b7b4bb713_JaffaCakes118.exe	84
PID 4536 wrote to memory of 2244	4536	a96a1b8fcaeb8b3b8e58000b7b4bb713_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\a96a1b8fcaeb8b3b8e58000b7b4bb713_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a96a1b8fcaeb8b3b8e58000b7b4bb713_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\A96A1B~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\A96A1B~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
4959fec98b0f5131bd29033a51076564

SHA1
b54f063971cce456fbe3f195376209820e207572

SHA256
90a76858fe38237dd55cd3dffc26882aaee2d88216b124c7573a0f3306ecd78a

SHA512
68672cac65d3300db9561beea54d3c1d32fa3e44b9d927bb4bc9997411f4329d329a9f3f6108a522e97beaf7d8fefcb50237a67b8842ca09e25ef8046c23372e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
3e0405b7d49fe425b1a7f60b0de0f42f

SHA1
2c7682f439f1aa3ed52f35cf5ba5b56d1ff91b4b

SHA256
34c1e13a555dbde1d89169a3e285cd32ced9eb211b3d54adc8bfe70f16eb4173

SHA512
aedbad0d7b39d766408aff97d6afb0ed8d12f7e59a4cd9067feb548d1a2ea71e6bbff31926b20dc9c642592f726867e93face56e62c47cfa0761f6049c2e38d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
87ac97aa467a8d8413ecca881834fd54

SHA1
c6ca309cf977634ca438655181154f605751fb92

SHA256
f6f7dc69a960c0a58919cb9d4343098c9a499c9aa911f932fdf33f9f5279ae05

SHA512
aa6254768b936576be573db8776d7adfe397b4ee297afe51e1e6833b60b53bddefa1e6d5483f366ee407a8e81f1a0aae29d3ef9ec1821a3c96655c793b7901dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
4e0a0d89c0b57cd90a5ed97f79eb433e

SHA1
2f72c5e3496adeede5b33ee65404d7acf59cda13

SHA256
6cbe064fb04ce135930f21595f332e0a5be45417be9af1bcd0bd915dd77f80d6

SHA512
959af4d8eabbfda45888480e77f37d3ff470fc667b894c786bb8477cc13dece3383fb186eb903d9e039f0ae764fe6bb2a06e26b07bd6f8b5fe0ba7eb6122bad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
1391eab514072b2630fd833144dd7e08

SHA1
ca5e7b36ff5cada52d26e9a2d76aba18987b40fa

SHA256
d65d0dea13e59633b4cacd15de317088b4258dfd8b2922a36fc6d2f64cf6ba62

SHA512
27edf52a0f177ea8cc22ef09d98dc8c15a4838e2fb4991d14e3152a826fed9ecb3d3eb982108247628127f2a17d0587a1c82b486f7147738fb5e1ad227ee6b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
63aa7fc00fc47b25089affaeb1af98ea

SHA1
a1fdb49eead26786e4f69e80431d94e4da0514f3

SHA256
edd50b87dd6abbaf905cd3f0dd57ed43c5f7b821b7e3ecec7c5af3cdfb7d8284

SHA512
82b76b3de567fa2960179caa7efd8a1c3acdea218d44e82ada58f0002a04b610117e10eeba3ad1121af9c00300dc3d551cbdba5f57c89ce6f3fd9181502768b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
06e0bdd395a71ae1276bf93ef6b593c5

SHA1
6c40cceca74188f9161329e1bf63e1732d60c854

SHA256
87f0c2b8e4069f87ef4477aebf434fa6e264e65b772af19e47d7b443fd42ee2e

SHA512
e14695815f4f9574dee08083c8a823f4e5f65cf70521ad5767156604c8fd8ba275e638d6c303d9a034a2994c7911a722c266b6fc73f6dcb5b6dc4e7ef1a41caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
16KB

MD5
a331697665c954f93b4c09b7ff252352

SHA1
1c4fdfbfaded18f8e18f581c9db531f39c7bae7b

SHA256
ce606141b081fa38255f36ede15a2192b50b9f303627dc06673b9d4e76475ebc

SHA512
6221732fcc4b3e3812806e8fc64847a127d3673ebb2536eed506e0ddb5838cad5e8d1f5a6157b9b6234e68c0cff7135d14754d832f417b20f43b1c1178d92c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
3KB

MD5
0199488e9e4840b246d129eae00e67ae

SHA1
f840b19f01af644553b784561f819b32d851d450

SHA256
fae93d4c50618f837ba3a0a7af4853219e60062eac5fd838409882392d6464b3

SHA512
165014f668a5b59f6ef7d7ae50a08450be48109ffc085e97775d31a685d95934e78742a534aeaf9eb7b74aba54f5085f87c53eaa51874c3c7c61836da83d7e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
d6779364c7f32219cbf5f1ae788262a0

SHA1
813aed0eab63efcb07a745408d97b5805c9345f2

SHA256
038895aedd183fc13a25d30c26e17334eb89a20c7d01287d86d85a39157d0866

SHA512
082a130f583a431779d9f3d4229af3079c6c74813ac18e1330accbb100520e2d876df0cb7c58478fe441d84f06566296dafff84ef53d27c55fd220284c1f6181

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
4820056311336aa04bb7a0d16f9897bb

SHA1
6b3943eb419a53519d46410532e19d98b2526e9a

SHA256
552faa57a5b654a5a9e9f308f26a73ccdeaaf44ee32e15a47876f73210602c17

SHA512
e2a874b6e10e1f5089eed32cb2ce47a1c469e2481a3c41932805ac2a8064979037a62e1ca2dfefd04477c572f18bba0fc0528e63dd8cef7a2890fda9df4ad6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
819b8ed40f2624683e4471f3152c6cb9

SHA1
87d6b751e2299d169df66867d9f488f24dc3dea1

SHA256
e0c313ff8a8d53c4b664a2dc653ef3885925b36646f720dbf0dcff90c30ed0c7

SHA512
a0386b5db1f2f71968e6cdd1ff4157f5c2910f8c42671473ea65ac84cbc733ce423f40d74876667fd8cdbf2a4f7cf69dd26460d4e8e37084f64a7200a7c65d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
ad39652c85813b1e7bb76780b36d8413

SHA1
8d0ab29eaa862bc2f5e6a6d06f39154a5d85cc3e

SHA256
86e54e4e98377528a2ac72decebb99c58b828303c15c128a3254c5b2f340e03b

SHA512
08cc11ef11a2266ea17c309ef34f8b1f997ec167e144ed69f484d30fc3ca983d8e161ad133fccbe8be99310d39278f1a044ea773cd6d64eacab4eedd46df84f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
memory/2244-92-0x0000000000670000-0x000000000070E000-memory.dmp

Filesize
632KB

Download
memory/2244-41-0x0000000000670000-0x000000000070E000-memory.dmp

Filesize
632KB

Download
memory/4536-89-0x0000000000670000-0x000000000070E000-memory.dmp

Filesize
632KB

Download
memory/4536-0-0x0000000000670000-0x000000000070E000-memory.dmp

Filesize
632KB

Download