9c82d7478581c614c7a1812132086aeab9606c214399e88fe7a1610414b9dc2e

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 15:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

072046daa751de645fe23217d120b094_JaffaCakes118.exe
Size

389KB
MD5

072046daa751de645fe23217d120b094
SHA1

aa00286cd8e5970d89a36cd5b97507ed18eda274
SHA256

9c82d7478581c614c7a1812132086aeab9606c214399e88fe7a1610414b9dc2e
SHA512

7d7a696c6f4a2850fb061c9c2343a357ea26a2861e4127ce5ea84de550ecc47446773ec93fbf44fca99021b8f782ae29afaa7cbf449cdfe240f48d4103d9db77
SSDEEP

6144:EB+84cWxC9sbMam4XspTJ755+SQ0F7YHXsJ4PLIlfR025aw7QbopcNb:NamgnRJDe0FYT0lGyQbjb

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	072046daa751de645fe23217d120b094_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	iqrtc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fqugkh = "\"c:\\windows\\softwaredistribution\\iqrtc.exe\""	072046daa751de645fe23217d120b094_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\softwaredistribution\iqrtc.exe	072046daa751de645fe23217d120b094_JaffaCakes118.exe
File created	C:\Windows\b37a6fc9.log	072046daa751de645fe23217d120b094_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
392	072046daa751de645fe23217d120b094_JaffaCakes118.exe
392	072046daa751de645fe23217d120b094_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
392	072046daa751de645fe23217d120b094_JaffaCakes118.exe
2012	iqrtc.exe
2012	iqrtc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2012	392	072046daa751de645fe23217d120b094_JaffaCakes118.exe	92
PID 392 wrote to memory of 2012	392	072046daa751de645fe23217d120b094_JaffaCakes118.exe	92
PID 392 wrote to memory of 2012	392	072046daa751de645fe23217d120b094_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\072046daa751de645fe23217d120b094_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\072046daa751de645fe23217d120b094_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392
- C:\windows\softwaredistribution\iqrtc.exe
  "C:\windows\softwaredistribution\iqrtc.exe" /i
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SoftwareDistribution\iqrtc.exe

Filesize
389KB

MD5
072046daa751de645fe23217d120b094

SHA1
aa00286cd8e5970d89a36cd5b97507ed18eda274

SHA256
9c82d7478581c614c7a1812132086aeab9606c214399e88fe7a1610414b9dc2e

SHA512
7d7a696c6f4a2850fb061c9c2343a357ea26a2861e4127ce5ea84de550ecc47446773ec93fbf44fca99021b8f782ae29afaa7cbf449cdfe240f48d4103d9db77

Download Submit
C:\Windows\b37a6fc9.log

Filesize
128B

MD5
c6c28692d4f8956fb647aab9fff35837

SHA1
94d270bafae61cb12c0647b7cbd91ab8202e7a6b

SHA256
061bdca1e25e4ee5afd7c07fab6fa072f18ce62d5340bd53741f55d59b1eb180

SHA512
c3b1b1c3fc60c949282c18ad9146d7df58016120e388ec6f90a7429273c1ada2a9dc1b1e518337cac64b9ecc9a35b43da3b570bc35309dd6bd7d8762fd04f313

Download Submit
memory/392-0-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/392-1-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/392-4-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/392-32-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2012-25-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2012-27-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download