5c1a710628ea2be30907df9a6f25c672c2fe683d6ee1930a829061afe7fc877c

Analysis

max time kernel
140s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe
Size

104KB
MD5

188948ddb492aadfe9ff4180f2b9554c
SHA1

ea779e28591ee9a07b86cb4b6a0b736f7ff79e3a
SHA256

5c1a710628ea2be30907df9a6f25c672c2fe683d6ee1930a829061afe7fc877c
SHA512

3117e2ac507c4d41f6e4499813915f9ef76c1a0abb19a27b1a013894b0e2b6967a50a5440c7404468f1c44a61356a5803052725c22a1adb6b0bded03691158d9
SSDEEP

1536:ngTJCNMiJ0dxUEy5beFI5sxyCNYwUch0IdTh8evcmmt0Dm:n2JhCgPCR41hWevcmmt0Dm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	hgreg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hgreg.exe	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hgreg.exe	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\xutrt.PNF	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\xutrt.PNF	hgreg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe
2528	hgreg.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2528	2024	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	95
PID 2024 wrote to memory of 2528	2024	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	95
PID 2024 wrote to memory of 2528	2024	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	95
PID 2024 wrote to memory of 3128	2024	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	97
PID 2024 wrote to memory of 3128	2024	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	97
PID 2024 wrote to memory of 3128	2024	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	97
PID 2528 wrote to memory of 3892	2528	hgreg.exe	60
PID 2528 wrote to memory of 3892	2528	hgreg.exe	60
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 4008	2528	hgreg.exe	61
PID 2528 wrote to memory of 4008	2528	hgreg.exe	61
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 3784	2528	hgreg.exe	59
PID 2528 wrote to memory of 3784	2528	hgreg.exe	59
PID 2528 wrote to memory of 1552	2528	hgreg.exe	96
PID 2528 wrote to memory of 1552	2528	hgreg.exe	96
PID 2528 wrote to memory of 2632	2528	hgreg.exe	47
PID 2528 wrote to memory of 2632	2528	hgreg.exe	47
PID 2528 wrote to memory of 3112	2528	hgreg.exe	62
PID 2528 wrote to memory of 3112	2528	hgreg.exe	62
PID 2528 wrote to memory of 4008	2528	hgreg.exe	61
PID 2528 wrote to memory of 4008	2528	hgreg.exe	61
PID 2528 wrote to memory of 3892	2528	hgreg.exe	60
PID 2528 wrote to memory of 3892	2528	hgreg.exe	60
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 1552	2528	hgreg.exe	96
PID 2528 wrote to memory of 1552	2528	hgreg.exe	96
PID 2528 wrote to memory of 2632	2528	hgreg.exe	47
PID 2528 wrote to memory of 2632	2528	hgreg.exe	47
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 3360	2528	hgreg.exe	57
PID 2528 wrote to memory of 3360	2528	hgreg.exe	57
PID 2528 wrote to memory of 3892	2528	hgreg.exe	60
PID 2528 wrote to memory of 3892	2528	hgreg.exe	60
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 2448	2528	hgreg.exe	78
PID 2528 wrote to memory of 4008	2528	hgreg.exe	61
PID 2528 wrote to memory of 4008	2528	hgreg.exe	61

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2632

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\hgreg.exe
    "C:\Windows\system32\hgreg.exe" -reg2
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\erase.bat" "
    3⤵
    PID:3128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4788 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\erase.bat

Filesize
148B

MD5
f2304cf9b8a7809ead7111dd07c2afbd

SHA1
b1842949b4e4a98e0e164dd3bf115eef0ccb536e

SHA256
e4e8d8a8464fcb22079616e46090efa40253fdcd52899ee7c0dc632733a5a0e6

SHA512
dc2056a85f6dc3a4cfa5dab2360b079268628a85611b6753751b68cfd6cca121d2091ab0dc646a51166730debf4f40e941087e70e275c758a805122611973025

Download Submit
C:\Windows\SysWOW64\hgreg.exe

Filesize
104KB

MD5
629623732607771a21f0ac11ef84c399

SHA1
e2a7a2be362d3a0e8638758d3dfa5281f72c90d5

SHA256
fa8cf469c8841cd00c8418231e8fac243317194f35b35df5791aa6af19720a25

SHA512
815b149a6673cf23bbb92406c65697430bd6b3f34ad7f8bb3660ffaadcb251d3ed07cbaa482c3b9d3dfde2669346b603131c26a76aaeb28773e0e5b02d2eab8e

Download Submit