Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 08:52

General

  • Target

    1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe

  • Size

    296KB

  • MD5

    1562ea6ccbc11556a2fbc40aeaf1897d

  • SHA1

    d3e9413c1ede49d83be13b118c861cbe41b3e6c2

  • SHA256

    a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb

  • SHA512

    44572ee9589c46f1fe2d009f77b5b199343e506257613ccf8de524fc57e590ec04d102a760aade26bfb23fb4a16f81c242ae98e34ae28382aaa51568d10725aa

  • SSDEEP

    6144:POpslFlqLhdBCkWYxuukP1pjSKSNVkq/MVJbR:PwslgTBd47GLRMTbR

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:2068
      • C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1176
        • C:\Windows\SysWOW64\WinDir\rafaella.exe
          "C:\Windows\system32\WinDir\rafaella.exe"
          3⤵
          • Executes dropped EXE
          PID:512
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 548
            4⤵
            • Program crash
            PID:3900
      • C:\Windows\SysWOW64\WinDir\rafaella.exe
        "C:\Windows\system32\WinDir\rafaella.exe"
        2⤵
        • Executes dropped EXE
        PID:1368
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 580
          3⤵
          • Program crash
          PID:1512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1368 -ip 1368
      1⤵
        PID:4012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 512 -ip 512
        1⤵
          PID:1412
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4428,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:8
          1⤵
            PID:2868

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Persistence

          Boot or Logon Autostart Execution

          3
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Active Setup

          1
          T1547.014

          Privilege Escalation

          Boot or Logon Autostart Execution

          3
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Active Setup

          1
          T1547.014

          Defense Evasion

          Modify Registry

          3
          T1112

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
            Filesize

            224KB

            MD5

            fcdc2ec75169e8f15aa481a855d2d1ce

            SHA1

            e175eb08f9c24ef111cb7a0691ef75e81ffc9f49

            SHA256

            b9dcdb13419530c9b517e0ca3ee3f8c63ae59e970e8ad286a41a4b77addc3173

            SHA512

            32310fa60f8d1d8c70517ab451034617407106aa5d1ecd80cbd47534952d3ad9fc73b391ff8f76f577b89d996ddf032e6cf46c13a4a45fa93d1e8ede183cdd51

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            a0bff030c7ea47144eb4f2740e45484b

            SHA1

            c6102a3274de269d612bd7fbee212bc48bbed425

            SHA256

            b1b3b1ec212ac5413326b8867d51ab28d851664225a85755301764165d05e990

            SHA512

            d837006591fc7526b12c612dfa4eb4b10853fa90c3446290dadaa507d17b6023cef149c83d441566855116141e15fc55049ddf622146ae70c3dd00e9e084f005

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            e3316ef318e9322c29e840719d6e51b2

            SHA1

            009d0fca6c0e01dd5c17c4738d07730940ce088c

            SHA256

            356805e8dd89737f6ccbf88b2d84d33a8ec90c0f0f786b851ef8f68e603380cb

            SHA512

            91498a051a14fce59053cd188a2b9859f6b5fef0565dee5d0b87a3b7645b701777e56bf16f3fb5367c16948e6d48a0e3d2b8abd269cab9698106969c68f8ee5b

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            f7fd02d9f9118543b6038bc53cd04b47

            SHA1

            890ac4ee76f99bcfb09abefdcdd46b55e4e6e3be

            SHA256

            a9c58a5d5270614e9e215df23b7d095a4bb447901a599b3976d3a356082afdb7

            SHA512

            f2d44f9713d647d9f916dc41646cc111a996b5a3646cc568cd582665c21017b22ecc4cc0f301124b0e14ba19be05076c2d5d1a7030c87c7cf1969821fdc536d9

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            c6a57eb3bdbf10bab9ae050c5aa7a940

            SHA1

            0e34774ec9b27c8d61983433bb06fd608be3420a

            SHA256

            3bb2419816762ec7537a1298a181a292ce2bb6d239d989ef3b28a69d39aeffbf

            SHA512

            f98aede02d7dbb42ad87fef4377cbe26d26788846dae1c61364dbdaf77340378db208626120b82cdaab6191ee261d7c8d62b53a48b171258864f421a6f0777db

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            fa16c17bd57ddac978987e3b4fe3a82c

            SHA1

            b41cb944cef71aad508be364cd3dab9456cc7d4f

            SHA256

            8e3749f8e6100d6fe75bc92c36f2d3e1b994fd33a2102d1a6cfca9822a344584

            SHA512

            66d24575f7cf727d1119e9a8d5420d41fc03457066653ece67aad2330e8220a6a891566d2181a35cc7105b389c2dda9039047c0771085fc48e8b0ccc61ca8713

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            d07f6d2486723e1a114f03d322adcf60

            SHA1

            69a64297b09c8d679e5dddf3c932a4ec1e44a587

            SHA256

            dff24518646134ba890bd53823d88e7df5bb6e13e214f3ec870b2a39cf6bbcf0

            SHA512

            33cfaa555b3783b2026196ea7e9a54d762a069526b1182875e55e8e56cae3adf256898a9d01d9b28f2d4df56a673fcac07e780ba5ed6e1c97600b2bfe503ff6a

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            fa09d55b41bde0a2661420706c1f0f83

            SHA1

            d60f54f56c5c1cf72428f7bbac382d9fa11579bd

            SHA256

            971bbb6b2b91483c0e723509baf4163ca5d0f747af50635328febe8f15e1db3e

            SHA512

            38972da3457a978f2adfa03838182255547926dde54015e8194328da2ab1cdc5c49fb72f141318205324ef44c57aa922f74ef4340ed58f8f526e6537aeceb5f3

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            93803456c54e1da5c0bd17b59f999928

            SHA1

            800b89889a229ff82396cf92e0ad1bd5b3b2f949

            SHA256

            ea09f2be24eb678d6fcf66bdb26dc269eef1015d8d0d1d40b7d32245d8b8ae36

            SHA512

            f968e9be79747477e054272edf32515827e32f95e49da212a14b0416bf169b0ed0424c131849e389ebc5ff53cd6c44a60d7ae938cc600688d432b945aabceadb

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            8f4f70b06c422f6cd97922ce06a2b2b9

            SHA1

            489f63af2f3b9c208b316dacfa0a2e9f8f82a7dd

            SHA256

            730fa91d4c3769bd19ff5997b2b58fb6df5b549f70b1a73b1589e75224cd25e6

            SHA512

            45193a5bfa883ed037634addca0982164097cbd8810cfbcb41e37c85a8ce07039539ae542f9fadef2214135315725a0efc2b7f3241d159ec116f0573094bcee9

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            c55cf1aec52529c837ff94f94be1b9d2

            SHA1

            4486d318d0abebadea286c7a769f9140b4342eac

            SHA256

            6d2361e1c45d6a8fbe14721a7e9b0089b07532e42b74d6888eddb75c93ff98fb

            SHA512

            e1ec8dc70b8aa660ec6aea27dc1d48e0d28b1b933751d7d9c86418fa97f760caf2e89302958d0e660a5c4ede80c04ee7dc81281f2768eb264a8db8c9954f909d

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            883c9d12b80e689ff3e01f4cc1687e5f

            SHA1

            2ffca5d1fa8e89610f02cfe11bbe214485abf5b9

            SHA256

            cfda9af4e8409f913c3d265d20ad1e4f67b1b65e6b0b451682db0ef5cfa3432a

            SHA512

            67de1cc8eda4079e43d0ab06e3e68e15aa6c511372f1e9127256886a306d24e51fba30e6e597c3bd3c5c2315b331f73583e829d3d498ebe0e3c50db2755d9a17

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            2d82b86bdeb30177bece9cf0db3d258e

            SHA1

            ca9da9148d626fec5724d6da353e73927c5dcdfe

            SHA256

            c0703bce4a45b6cfeb6351c99671d8958094df50d7950ed39713dcb595a488fd

            SHA512

            9ff8d19f2106ce98b4b377e8f8330632aea3ce7a63c064f2c0a7f2a5fee5ef332523ab3f237967a0742d823b6643fe26111bd29538f3bd81a39e0adfdd8089f1

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            4cd91252cc12842a05ea09668a10b3ab

            SHA1

            a929214d1e1a2a78bf34ab52087945aa70fb564f

            SHA256

            f98a14a42b5840cf17c304b9baf5b0c980cfb1393698764303499a861c5748ce

            SHA512

            cf54f0030974b462ccbfd3b724dc1f0bf2ab84b741c882a2cd9be140cf5dbaf7f1521742014717a3714756a910edb693141cfec29c7ed2e8a9ca179e62828931

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            0113a1eba293841d61461773d9969fd4

            SHA1

            7419b0ad990bb63c49d0f7624bd1afe0379da102

            SHA256

            437b52e36fed243f9bdea95594abdad81a64d0e98bafe9cf35220e4d525f0e59

            SHA512

            41d432987be623c19fce5e3520539d2c10b255135f17894c74ee6f8b54009b59c315c7319fbe0d1370e7a235c1f155327f2f98f071196a18c769121e5ed8b62e

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            f1cdde69d3881168f15c145c4c13034b

            SHA1

            522edcb9c4065e636e6fc24bb55abab8cfd77f7d

            SHA256

            b7f1817525eb2ef20a6c9840e9a910655385584cadff0705e5db26700f10627f

            SHA512

            31df521c964eb6f6c25279f85908a4a3bd0782853cac34f2b4687673d81f3479d1b5ed9f493d30bf4ecd34a780f4f8cbe28648b674a74d273ef02d76c2ff987f

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            0702678a3c6be57a890bce6bd1982560

            SHA1

            cb7742da8051dcba2456d35c3821aea598dc54ee

            SHA256

            fa8b0dc96a4f26f7b20025f463b9b1559171df84b1d213d2bffbf5f7141de1c2

            SHA512

            c6846aeb7f52d348fd62e2c28d20440f992dec6239e5e1c0fd3659ecc14dba67c6aab0f79fa17c7853aa3bb481d43c511921d378ff89612f908ee7dc6d9a58c5

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            6dbe59359ff5c498654c64d1510cfa52

            SHA1

            f4ea5b6cedb75bc488d8953acc266fbb6a2884e2

            SHA256

            503c37e7db2f8d4492489fc680c6774ecc2820b4c144cca015db15e8e69885c9

            SHA512

            f18e13006488699d6b886d677e6b370a496040da408fcd347875592fc2e338ebfd0fe22de51a4b2840b878fbd57325d3b8702629a6551382bb4f120c6a95cc40

          • C:\Users\Admin\AppData\Local\Temp\Admin7
            Filesize

            8B

            MD5

            fde4a074e2e25e2cbd1456cb9471089a

            SHA1

            2272f69121f682d451793ab888e2802134d55884

            SHA256

            3516eee6156f4d4d6f0f69ab26a2867ff5824a7c360df90bd7db80b059b7d675

            SHA512

            88c041c1297addad85c1d1b4c1cd8df3ec70960dc068f17f87a8b7ddd52a14d52de9e5e80ef47478fc4ffd611cfe08cb2cd39e18a0b97869ada79ff800361748

          • C:\Users\Admin\AppData\Roaming\Adminlog.dat
            Filesize

            15B

            MD5

            bf3dba41023802cf6d3f8c5fd683a0c7

            SHA1

            466530987a347b68ef28faad238d7b50db8656a5

            SHA256

            4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

            SHA512

            fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

          • C:\Windows\SysWOW64\WinDir\rafaella.exe
            Filesize

            296KB

            MD5

            1562ea6ccbc11556a2fbc40aeaf1897d

            SHA1

            d3e9413c1ede49d83be13b118c861cbe41b3e6c2

            SHA256

            a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb

            SHA512

            44572ee9589c46f1fe2d009f77b5b199343e506257613ccf8de524fc57e590ec04d102a760aade26bfb23fb4a16f81c242ae98e34ae28382aaa51568d10725aa

          • memory/1176-1377-0x0000000010480000-0x00000000104E5000-memory.dmp
            Filesize

            404KB

          • memory/1176-8-0x00000000005C0000-0x00000000005C1000-memory.dmp
            Filesize

            4KB

          • memory/1176-7-0x00000000001E0000-0x00000000001E1000-memory.dmp
            Filesize

            4KB

          • memory/1176-68-0x0000000010480000-0x00000000104E5000-memory.dmp
            Filesize

            404KB

          • memory/4600-6-0x0000000010480000-0x00000000104E5000-memory.dmp
            Filesize

            404KB

          • memory/4600-2-0x0000000010410000-0x0000000010475000-memory.dmp
            Filesize

            404KB

          • memory/4600-63-0x0000000010480000-0x00000000104E5000-memory.dmp
            Filesize

            404KB