b65d851d331b31926fb9330dad40953f4641abe86a590607f1311c1924cb17ff

Analysis

max time kernel
144s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac8ac4b17727f834d77d2f337dc85db0_JaffaCakes118.exe
Size

16.4MB
MD5

ac8ac4b17727f834d77d2f337dc85db0
SHA1

a466432e37d068a2c2b09b3b469956037e847ce3
SHA256

b65d851d331b31926fb9330dad40953f4641abe86a590607f1311c1924cb17ff
SHA512

bd6cb505dcf48c8bc12e23a3dfe01ce01dfaef9abed676770fbc899bd796e3d368633090bd8ec324b393ac5fa2a91b118dce2bdd522210b00ae4f4b734645312
SSDEEP

393216:iXiB6MQ9hbquReuivUjEk6WR+uRFFu5Vizfn8t4fOlofN63y:iXthDeuivUokHFFFu5Vizf8tfa

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023526-11.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	ac8ac4b17727f834d77d2f337dc85db0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3616	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\uninstall\Zimo Sound Programmer (ZSP)\setup.exe	setup.exe
File created	C:\Windows\uninstall\Zimo Sound Programmer (ZSP)\setup.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3616	4900	ac8ac4b17727f834d77d2f337dc85db0_JaffaCakes118.exe	86
PID 4900 wrote to memory of 3616	4900	ac8ac4b17727f834d77d2f337dc85db0_JaffaCakes118.exe	86
PID 4900 wrote to memory of 3616	4900	ac8ac4b17727f834d77d2f337dc85db0_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\ac8ac4b17727f834d77d2f337dc85db0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac8ac4b17727f834d77d2f337dc85db0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies registry class
  PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.cfg

Filesize
16KB

MD5
543817e36e36bdb7725b4c5039429e33

SHA1
5f8be1c05656b3d11e3cc9833da09d189456e682

SHA256
8f1fd889f7b3b893d5faf11ea7322d9ae107c7d825a74d750d1c2dd705b47bd5

SHA512
76e05c2c8b46d970229d1f08365cda1f9c05fa00aae2cc3b8e5188dfede32a4e7a03841f796ccc2d6779d8d6fed2a67aff395be9c8d6564f7c06e4f0e6a5f410

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ZupSfx0\setup.exe

Filesize
403KB

MD5
f17f1393e7f58f602a6f8f4864015235

SHA1
bd120de991db7cc85c4472fac395bd426d31c981

SHA256
81e0d5df143ec1e32e6791083fb768b6fa04b3049f5f65ba3414493a3358ebd6

SHA512
64bf5145990277dd1e777fe2e32b8c3e7b55857c03ca1fd7e42025881463d2b7845748c59f2c8509c77b7c7778b141c596f945f1996203f835af092311b8518f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup~1\setup.zmr

Filesize
86KB

MD5
0353823d703c4a3ca260c28832f467dc

SHA1
71384d1f68cf1b68c483e89245df71153bedc656

SHA256
d237ad761b6b36ffbe6078bf6517ca5169443886e6b7fe5dfe86b7077df3ba27

SHA512
9649cbab1e6263174d862e4949367ca633c7a751663f792f0660f5a26bafc2de35cc067e41c7776329f2f4db69ec7bc13f1d00a0a93bae4e5faf6e835130b4c9

Download Submit
memory/3616-20-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3616-202-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3616-205-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/4900-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4900-203-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download