2387103da53a8e52093bac68243569c265e23129db6d874ee29c24c9d229698d

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe
Size

104KB
MD5

0cf3c2aee431475d75bc79d5ea323730
SHA1

313f4eb1ea98af681ada997d9f46c9ef41f6f31a
SHA256

2387103da53a8e52093bac68243569c265e23129db6d874ee29c24c9d229698d
SHA512

5f8b76dc9fa3d84a577499dc2e64e31b4c9460a6bc3f82be0c7efc652717135e1144584f207259e3ab609c902d28d276ff8e4a8c113e9e42826cf162bbd5eb5e
SSDEEP

1536:ngTJCNMiJ0dxUEy5beFI5sxyCNYwUch0IdTh8evcmmt0DH:n2JhCgPCR41hWevcmmt0DH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
208	jcjtm.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\jcjtm.exe	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\jcjtm.exe	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\xutrt.PNF	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\xutrt.PNF	jcjtm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe
208	jcjtm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 208	3704	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	82
PID 3704 wrote to memory of 208	3704	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	82
PID 3704 wrote to memory of 208	3704	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	82
PID 3704 wrote to memory of 1796	3704	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	84
PID 3704 wrote to memory of 1796	3704	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	84
PID 3704 wrote to memory of 1796	3704	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	84
PID 208 wrote to memory of 4080	208	jcjtm.exe	61
PID 208 wrote to memory of 4080	208	jcjtm.exe	61
PID 208 wrote to memory of 3952	208	jcjtm.exe	60
PID 208 wrote to memory of 3952	208	jcjtm.exe	60
PID 208 wrote to memory of 3796	208	jcjtm.exe	58
PID 208 wrote to memory of 3796	208	jcjtm.exe	58
PID 208 wrote to memory of 3892	208	jcjtm.exe	59
PID 208 wrote to memory of 3892	208	jcjtm.exe	59
PID 208 wrote to memory of 3796	208	jcjtm.exe	58
PID 208 wrote to memory of 3796	208	jcjtm.exe	58
PID 208 wrote to memory of 3460	208	jcjtm.exe	56
PID 208 wrote to memory of 3460	208	jcjtm.exe	56
PID 208 wrote to memory of 3952	208	jcjtm.exe	60
PID 208 wrote to memory of 3952	208	jcjtm.exe	60
PID 208 wrote to memory of 3796	208	jcjtm.exe	58
PID 208 wrote to memory of 3796	208	jcjtm.exe	58
PID 208 wrote to memory of 3796	208	jcjtm.exe	58
PID 208 wrote to memory of 3796	208	jcjtm.exe	58

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\SysWOW64\jcjtm.exe
    "C:\Windows\system32\jcjtm.exe" -reg2
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\erase.bat" "
    3⤵
    PID:1796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\erase.bat

Filesize
148B

MD5
04a37a3a32775fa4b62e55e52bac0ca9

SHA1
fce3ea97d1e2b4b87519bd0e80856fbfc46ed294

SHA256
77cbe4eda413ea401ad27d5fbdbe579a708c4ad8387c6fc8e87c7ab977d9051f

SHA512
b883e11435807099c941038bba08c50255e5e3a2cded743472ab419fc985eefbe45292d54f7c396e4c54127ae638ac5991b7a91e6602502eff30e929f341c2d5

Download Submit
C:\Windows\SysWOW64\jcjtm.exe

Filesize
104KB

MD5
3488067218b14e2249a25d95a71743c3

SHA1
1625750847bb0d420a59521be3e2d648b8dd0424

SHA256
15e1a24f40ff3ceb6d51aae1205f0e28a904f4865fb587abe96fb096885cef4a

SHA512
8796839c01d1881e043b0513bda929dead45d179499f4093391453400b0c947f76568d7a883e20d63bee6e63b8bd0bf22e835f451b1e2012e4e2b05f6500ea53

Download Submit