a996405b45e9dc435ecf810872a5636e7137ff46fbad520e32f52e13a07442de

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe
Size

389KB
MD5

163c188b0d33f4bb9bc9b1ff04d1dd49
SHA1

7ec4d57d76727402da7c30ce25e66d131d0bc485
SHA256

a996405b45e9dc435ecf810872a5636e7137ff46fbad520e32f52e13a07442de
SHA512

66fee0ff0eb4f05533318f8e1afc35deef6ec4258f17c70c2675973bc4ba1cc4a230ac9b014072a5aa6aca9ff07555b584527e287058bebc3c72fe6f41e02bdb
SSDEEP

6144:0fxjxvjpe238JMJRMVkvkcyc65DECBe2UQB343iTYOGQKnO+Z3m:0fnbsJiRQf9VnBe2U8ISUZQB+0

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/224-0-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/224-30-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/224-35-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/224-36-0x0000000000400000-0x0000000000507000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
224	163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe
224	163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe
224	163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe
224	163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe
224	163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe
224	163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe
224	163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pcmega_2.1a.exe

Filesize
14KB

MD5
ca10529a444474d03942653f6da47eac

SHA1
c1227f1f46645363fa81b6864c8d8deb32da89be

SHA256
ea5e30d53aff766c52d0f9c8200c88671d66e415996421f533f3e64b87107296

SHA512
74121d8931a30812a63787da65e008a907566a46d5d628850718cb584eb0a48829c0fd6a97034b530ffaaa7a9ad10ec85c6d18399b97332b7f4eaeb02ce3f7c0

Download Submit
C:\Users\Admin\AppData\Roaming\GetRightToGo\163c188b0d33f4bb9bc9b1ff04d1dd49_JaffaCakes118.data

Filesize
871B

MD5
887fe6de0a409f790ff9b5809f3ab93f

SHA1
1fb86dfd1c938504bfd4725bb72d6d6c988da1a6

SHA256
acedd8d0a15a1e56335cb8fce20c77c7306ddb8e301e757c621aee8cb60601cf

SHA512
a6f52cfa6b818f75f08f5cf778c80d8f29d8f5d8fbe3d007084e054dd6446580ecdd9509f91bb57a5ff5ed66a2a749407ac0207aceb294eb1d9b38a214dd316e

Download Submit
memory/224-0-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/224-30-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/224-35-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/224-36-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download