225bf460a0c2e3d00f7a6679d10764dc60a0e9510c8e30a99602d4328cf21922

Analysis

max time kernel
134s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 01:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe
Size

23KB
MD5

184896f403bceb6f7b1db26208df800b
SHA1

03f40ff6ff6ad26e046e2ff34d9149469b4b0128
SHA256

225bf460a0c2e3d00f7a6679d10764dc60a0e9510c8e30a99602d4328cf21922
SHA512

d7ce186146f74e0f25b4c629e733e952c66aca5fdb2d5e3647bda3ac6e624012a7357c6141639f781cd43c306d1bbe13dff94bee1f337240a12c87164e14a47a
SSDEEP

192:EB5W66P1oynPh489jvy5SoOpMP1oynpaRM3RdjE5norY6BZQbmuPrQe2rP:EBQ6E15h4QGkG1iR8RdjE5nosSZU5ryL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	wddn.exe

Executes dropped EXE 1 IoCs

pid	Process
532	wddn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\Open(&O)\Command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE %1 http://www.114898.com/?tn=881"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\Z\ = "É¾³ý(&D)"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\ÊôÐÔ(&R)	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\ÊôÐÔ(&R)\Command	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\ = "Internet Explorer"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\ShellFolder\Attributes = "10"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\DefaultIcon	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\Open(&O)\Command	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\Z\Command\ = "Rundll32.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\ShellFolder\	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\Open(&O)	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\Z\Command	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(&H)"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\ÊôÐÔ(&R)\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\Shell\Z	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}\ShellFolder	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860982}	WScript.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2036	reg.exe
4648	reg.exe
4428	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe
532	wddn.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1704	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	82
PID 2652 wrote to memory of 1704	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	82
PID 2652 wrote to memory of 1704	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	82
PID 2652 wrote to memory of 724	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	83
PID 2652 wrote to memory of 724	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	83
PID 2652 wrote to memory of 724	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	83
PID 2652 wrote to memory of 1276	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	84
PID 2652 wrote to memory of 1276	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	84
PID 2652 wrote to memory of 1276	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	84
PID 2652 wrote to memory of 3580	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	85
PID 2652 wrote to memory of 3580	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	85
PID 2652 wrote to memory of 3580	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	85
PID 2652 wrote to memory of 2372	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	86
PID 2652 wrote to memory of 2372	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	86
PID 2652 wrote to memory of 2372	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	86
PID 2652 wrote to memory of 532	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	87
PID 2652 wrote to memory of 532	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	87
PID 2652 wrote to memory of 532	2652	184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe	87
PID 532 wrote to memory of 2136	532	wddn.exe	88
PID 532 wrote to memory of 2136	532	wddn.exe	88
PID 532 wrote to memory of 2136	532	wddn.exe	88
PID 2136 wrote to memory of 2036	2136	cmd.exe	90
PID 2136 wrote to memory of 2036	2136	cmd.exe	90
PID 2136 wrote to memory of 2036	2136	cmd.exe	90
PID 2136 wrote to memory of 4648	2136	cmd.exe	91
PID 2136 wrote to memory of 4648	2136	cmd.exe	91
PID 2136 wrote to memory of 4648	2136	cmd.exe	91
PID 2136 wrote to memory of 4428	2136	cmd.exe	92
PID 2136 wrote to memory of 4428	2136	cmd.exe	92
PID 2136 wrote to memory of 4428	2136	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\184896f403bceb6f7b1db26208df800b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WINDOWS\Temp\ialxokta.vbs"
  2⤵
  PID:1704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WINDOWS\Temp\ialxoktb.vbs"
  2⤵
  PID:724
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WINDOWS\Temp\ialxoktc.vbs"
  2⤵
  - Modifies registry class
  PID:1276
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WINDOWS\Temp\pag5.vbs"
  2⤵
  PID:3580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WINDOWS\Temp\pag4.vbs"
  2⤵
  PID:2372
- C:\WINDOWS\Temp\wddn.exe
  "C:\WINDOWS\Temp\wddn.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\resgfvr.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\reg.exe
      REG Add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ /ve /f
      4⤵
      Modifies registry key
      PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      REG Add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{C42EB5A1-0EED-E549-91B0-153485860982}\ /ve /f
      4⤵
      Modifies registry key
      PID:4648
  - - C:\Windows\SysWOW64\reg.exe
      REG Add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{C42EB5A1-0EED-E549-91B0-153485753982}\ /ve /f
      4⤵
      Modifies registry key
      PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\resgfvr.bat

Filesize
349B

MD5
2cc8a7df501e72e6c0abaeea8dd74cd3

SHA1
d695c0e03d920d6ae450e19730025305b16d707e

SHA256
9e7b8e8f9e470920847067edc78b86afb7afc3ea74f45b2f7d5dd9b7d70463e5

SHA512
b5c4590c35ab3545b12da7b49a0b67d093bd2aab9d69999edec1403f03784ccb7fe7dba3894810308fbe9795f4f627279073501745655918437c54e079dc6aad

Download Submit
C:\WINDOWS\Temp\ialxokta.vbs

Filesize
3KB

MD5
dc1294b39c88f4f392a8fbb14d882783

SHA1
66d581822c9e61a1c5e12392b051e66fcd9b15b0

SHA256
81e620210cf2658b1223fbf99cc7d2c0ea832bf28dff7b8ad13ca217f15d0e33

SHA512
f25ffb812461b5451f4782953af710f958d77be1c94d568784d26e84dbc0c34f379b8f17ed58ee1c8425b89cb054b8da7fe6472eac2be652038a753a17a69da0

Download Submit
C:\WINDOWS\Temp\ialxoktb.vbs

Filesize
3KB

MD5
02c167ea7c31d88efe9160d86acb4de4

SHA1
ab7ea1aecc2e82aaa3f62863cf81178d86f3208f

SHA256
a6a2d1cafd16736f30f932403ad65aa688b561c04d9b69b18342392fb3226e1e

SHA512
a850f3339dfeb9aab29062d08b363c4b48e92a9f38ce532db6a42882469846412769a0f8e77877364665ad730894c3c2f08a31087367c28099960f7c4f617892

Download Submit
C:\WINDOWS\Temp\ialxoktc.vbs

Filesize
1KB

MD5
27f2f7fe0ec5470ca302c42e25e3ee03

SHA1
3a3eedb51311f14de20b2c1300a10c431477f9ea

SHA256
d7e63b4cd0a63239fb274e7b14218ab05b99bd7cf4a6efc6675d8aed70c193a7

SHA512
bd367259068b974f1f1bbe79eb087b998a49bb259ca391e24b2b30410eb0fc329704aef0e5b5a72a943b86bd8e73fb93d8b4e992c8a4202f2e8c80a600a6ae2d

Download Submit
C:\WINDOWS\Temp\pag4.vbs

Filesize
408B

MD5
03d352776bce016a22c2264cde64b6af

SHA1
b8069c81d23b323eac848d240b31e3afcb018537

SHA256
777e6484309325088372dc22f82b6fadef88c3cfbfe9da10bd7e5a7575f26627

SHA512
e8f55f40d421cdc495098f2a5aead17b36b9c16bfbff1f619e32e06095a23a58fcd09c31eb9f4c2d97ef5c042749ed7e79cc402807c03a7609ce5ff00c1c6d04

Download Submit
C:\WINDOWS\Temp\pag5.vbs

Filesize
407B

MD5
dcd95ffc282549e2797867802ec669ce

SHA1
a8af057a834e6e7a7c5eb4578738e2cda5a3610d

SHA256
3c8f5624fae51726e34d7f9bf1c702fc97bf644bb3312bf24c94e758271334b3

SHA512
c28149fc6163003a2c56e5544d3db121baef24a0a2fea9b64d5aa753ddcc7c66c31cc2a08e13d14dcfa73ba98506823e05ea82fa89e2945f6ca7e79122f9f354

Download Submit
C:\Windows\Temp\wddn.exe

Filesize
3KB

MD5
943d001eba075026382a0d220e2d8db5

SHA1
755861a206edb5f5e31bb7a1fc5e6648a62d43bc

SHA256
608555cdf808d3a449c5d7516ca13d2038aaf0869c109b75cc3a0a072ef2872f

SHA512
d2c9bc3192a1cc535c03fd020f0cf7127d628d89eb8d27449ad3c32160122109f0bdfeb0d517f2f0f1e85529da27a16530ac37d45ff3c98b0fe24ca7fc42eb14

Download Submit
memory/532-32-0x0000000000400000-0x0000000000400F70-memory.dmp

Filesize
3KB

Download
memory/2652-28-0x0000000000400000-0x0000000000405F60-memory.dmp

Filesize
23KB

Download