b2edb23e5a6233a5c59670034e20af7288480b5b70eed076b1c6fd10a1070ec0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
Size

171KB
MD5

0309e4238dfdc5d4b2c7f08ba06a91dc
SHA1

b4068034b88041bca8c1a7903beb10efb7b7819e
SHA256

b2edb23e5a6233a5c59670034e20af7288480b5b70eed076b1c6fd10a1070ec0
SHA512

857b61bdd78479663423d7306dd2bc69cd1a593486a307e359c99b150e9c0cd6e24c49be50310e94d6b785035f62d1e27c205dad5ff6c58ba97330a44e441c95
SSDEEP

3072:ZyH99g4byc6H5c6HcT66vlmm+mYUkMuRYUugIfyYUnSgAr6ckP8/4+/KJcI0Rf7A:ZyH7xOc6H5c6HcT66vlmiYUkPRYhgIfU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
4604	svchost.exe
4724	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
1540	svchost.exe
372	Uninstall.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4604	1832	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	81
PID 1832 wrote to memory of 4604	1832	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	81
PID 1832 wrote to memory of 4604	1832	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	81
PID 4604 wrote to memory of 4724	4604	svchost.exe	82
PID 4604 wrote to memory of 4724	4604	svchost.exe	82
PID 4604 wrote to memory of 4724	4604	svchost.exe	82
PID 4724 wrote to memory of 372	4724	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	85
PID 4724 wrote to memory of 372	4724	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	85
PID 4724 wrote to memory of 372	4724	0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
      "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end
      4⤵
      Executes dropped EXE
      PID:372

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$inst\17.tmp

Filesize
2KB

MD5
12be07a11a0a0d6ad5499aee03d7e6c1

SHA1
c98ad4b432ac8f48c7ff883697c1804b49269015

SHA256
3f543580bb8f9178c8bb405860e2e6ae8ea29999e7549c7da5d13aea53498666

SHA512
7b958fdd27fd4d3d88e84d977a9b6aee622ad2812deafafbe36bd6d68a7b04dbb203cb2536ea2b15e72cd9a0cd75cae22ab73fece2e45c4e884392150eedd9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0309e4238dfdc5d4b2c7f08ba06a91dc_JaffaCakes118.exe

Filesize
136KB

MD5
20b1de76f446c9807eb1f46346f9d510

SHA1
8a0d0a76971b368f477ba1c75f4d302b33454462

SHA256
2af77de2be74ec49cb4f4d4a416cd480cc615cecb7e5bd7b3a142277fb36d6f0

SHA512
864cefbaa4ad72105822557ab8176f3c22c50cf025f4510912be440170dc91cd468b476b0481b9c7a0cd84d1dd560557d314c534cf33077253c4b8bada9c7a11

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/372-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-30-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1540-32-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1540-36-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1832-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4604-12-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4724-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download