193ecf44dbf5ad8e20d5a7b74d607fdb78f4bb979607283db40fd905f75b17b2

Analysis

max time kernel
136s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe
Size

745KB
MD5

0cfd1d1cddffbb49d636ccda4c82a2ad
SHA1

6369b9bb34032095fd2589a944da8ce292d096e2
SHA256

193ecf44dbf5ad8e20d5a7b74d607fdb78f4bb979607283db40fd905f75b17b2
SHA512

7a9c206a3cddeff387d3b5a7c2f4c4509f7b3791feda0818421da2991f797006540b9a2384ff5da68cd4bc472831be9227311b6db388935044a866dc1d0a00e1
SSDEEP

12288:1NiB4i0WC/H4khh4Z/avPQS+EgIopf+WaUvOa7DMYaNm9ss:KF0WCPvhh4Z/avPQS+LJ593cY+s

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\regsrvc = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\regsrvc = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\regsrvc = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe\""	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	cooldown.exe
4572	isass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
1444	reg.exe
4256	reg.exe
3676	reg.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 3068	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	83
PID 3808 wrote to memory of 3068	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	83
PID 3808 wrote to memory of 3068	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	83
PID 3808 wrote to memory of 1284	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	85
PID 3808 wrote to memory of 1284	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	85
PID 3808 wrote to memory of 1284	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	85
PID 1284 wrote to memory of 2008	1284	cmd.exe	87
PID 1284 wrote to memory of 2008	1284	cmd.exe	87
PID 1284 wrote to memory of 2008	1284	cmd.exe	87
PID 2008 wrote to memory of 1444	2008	cmd.exe	88
PID 2008 wrote to memory of 1444	2008	cmd.exe	88
PID 2008 wrote to memory of 1444	2008	cmd.exe	88
PID 3808 wrote to memory of 4572	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	93
PID 3808 wrote to memory of 4572	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	93
PID 3808 wrote to memory of 4572	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	93
PID 3808 wrote to memory of 700	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	94
PID 3808 wrote to memory of 700	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	94
PID 3808 wrote to memory of 700	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	94
PID 700 wrote to memory of 812	700	cmd.exe	96
PID 700 wrote to memory of 812	700	cmd.exe	96
PID 700 wrote to memory of 812	700	cmd.exe	96
PID 812 wrote to memory of 4256	812	cmd.exe	97
PID 812 wrote to memory of 4256	812	cmd.exe	97
PID 812 wrote to memory of 4256	812	cmd.exe	97
PID 3808 wrote to memory of 4688	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	102
PID 3808 wrote to memory of 4688	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	102
PID 3808 wrote to memory of 4688	3808	0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe	102
PID 4688 wrote to memory of 4792	4688	cmd.exe	104
PID 4688 wrote to memory of 4792	4688	cmd.exe	104
PID 4688 wrote to memory of 4792	4688	cmd.exe	104
PID 4792 wrote to memory of 3676	4792	cmd.exe	105
PID 4792 wrote to memory of 3676	4792	cmd.exe	105
PID 4792 wrote to memory of 3676	4792	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cfd1d1cddffbb49d636ccda4c82a2ad_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Users\Admin\AppData\Local\cooldown.exe
  "C:\Users\Admin\AppData\Local\cooldown.exe"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
      4⤵
      Adds policy Run key to start application
      Modifies registry key
      PID:1444
- C:\Users\Admin\AppData\Local\isass.exe
  "C:\Users\Admin\AppData\Local\isass.exe"
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
      4⤵
      Adds policy Run key to start application
      Modifies registry key
      PID:4256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
      4⤵
      Adds policy Run key to start application
      Modifies registry key
      PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\check.bat

Filesize
162B

MD5
1fe82309aa71db17b512cd0e70abf24e

SHA1
de388174e708108cde672d8f93fb756614b8ee93

SHA256
0a8129d9351f146392e0e2bf88f024b113d47524d13db9cd1a905a73d94f6b99

SHA512
c125fa0e846fd30d889999726e39c312579a79cf0852984aa66e27f8897ea1a6c12125f655b524e89d165a060d988bb049241b7cea444236f0475045d5b79d32

Download Submit
C:\Users\Admin\AppData\Local\cooldown.exe

Filesize
208KB

MD5
896148b16349b34339b2da6d03245726

SHA1
fb1bfe578db9d39c24fc38666520ab4f3196269e

SHA256
a2644cf4c0e119163ff0f00d96bb9c818972f5731f4ebc0d3df779dd8536c14c

SHA512
d811841e98865779f2ba97de4a441ac4ce1a48924fbe0569499bb91cd93a9479d38daeae69076627be6071d09a98ff997966d99124c5fb2f6a26655b5e3a8fe1

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
149KB

MD5
52730ab1c07e44c567debab8c0f82b34

SHA1
7c45ceaefd673d39d75236ea80c562a655c65642

SHA256
28a6402cc2a8dd456da639a8c35a7f288e006731409852fadb9218bb796b7dee

SHA512
8216d594fdde9ba7fd04884a57e44f61a5aca1f7b305a7360bd0ca5dbcfaf6af7210fc121bab937cba7e7004873e02ac5b1b2b95ebd272aedaff60f0ba0948a2

Download Submit
memory/3808-33-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads