0fd2f07c66c72bf4e2cf3e696d6df557bbcce9799fa6f70fa0064cec8d8f538c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

213bee731c8b5427bc810263c77cfae1_JaffaCakes118.exe
Size

938KB
MD5

213bee731c8b5427bc810263c77cfae1
SHA1

03b0075b0fd571d07fc112b3f4d4ccd0024a6e48
SHA256

0fd2f07c66c72bf4e2cf3e696d6df557bbcce9799fa6f70fa0064cec8d8f538c
SHA512

95b717b55eb7c14deca14ab14c923b77e58967bdd83ff84f11ca678c69f28a2eb0ae6a99f24bc55d659766eab458ba3eb71f9679724563615cd41c4a020be99b
SSDEEP

24576:zmZHGnNYczuLYpDdWmDwXcYMvQhzOTIl/Q:OsOrytDKMvQKTR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	213bee731c8b5427bc810263c77cfae1_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2528	temp.exe
1820	Hacker.com.cn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	temp.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	temp.exe
Token: SeDebugPrivilege	1820	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1820	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2528	640	213bee731c8b5427bc810263c77cfae1_JaffaCakes118.exe	85
PID 640 wrote to memory of 2528	640	213bee731c8b5427bc810263c77cfae1_JaffaCakes118.exe	85
PID 640 wrote to memory of 2528	640	213bee731c8b5427bc810263c77cfae1_JaffaCakes118.exe	85
PID 640 wrote to memory of 2200	640	213bee731c8b5427bc810263c77cfae1_JaffaCakes118.exe	86
PID 640 wrote to memory of 2200	640	213bee731c8b5427bc810263c77cfae1_JaffaCakes118.exe	86
PID 640 wrote to memory of 2200	640	213bee731c8b5427bc810263c77cfae1_JaffaCakes118.exe	86
PID 2200 wrote to memory of 3632	2200	cmd.exe	88
PID 2200 wrote to memory of 3632	2200	cmd.exe	88
PID 2200 wrote to memory of 3632	2200	cmd.exe	88
PID 1820 wrote to memory of 4420	1820	Hacker.com.cn.exe	90
PID 1820 wrote to memory of 4420	1820	Hacker.com.cn.exe	90

C:\Users\Admin\AppData\Local\Temp\213bee731c8b5427bc810263c77cfae1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\213bee731c8b5427bc810263c77cfae1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\qqqqq.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\213BEE~1.EXE
    3⤵
    PID:3632

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
778KB

MD5
8734ea5c9a3482a587bdc2e6f367d3ee

SHA1
108c7808bc9b8f83833635d704238a554cb5ffbc

SHA256
906a812899903c63121b57af45419c8db5c5c14231f4353cfb2c5d6e63b2bdcc

SHA512
47d605fb20a682a922af7c22858d0f0fd5e4c71d53231ab965a516abeee0e67d4b5e78f2cdcaa07f64caebe46d0ecd61b0b39357bfa50b79cab11251d88449c9

Download Submit
C:\qqqqq.bat

Filesize
106B

MD5
92b69180ee2289a72e6984f6389af832

SHA1
d5b3ae9ce0f4c389c3bb23dbff7e7747d8ea05b8

SHA256
a97a9a97c39398683a08d6eb6473f9d5da07ad5e5d42c7c95e6b79dd58190eef

SHA512
1116bcadc9ca91135a754eb486bfd5dfe8cbee947aacecd06c2e95dca44faf0d0026ec8bb47713bcfd65a1186590d3393c1b8ddf2559df6e7a9702e5ba8d83f9

Download Submit
memory/640-0-0x0000000010054000-0x0000000010055000-memory.dmp

Filesize
4KB

Download
memory/640-1-0x0000000010000000-0x000000001006F610-memory.dmp

Filesize
445KB

Download
memory/640-15-0x0000000010000000-0x000000001006F610-memory.dmp

Filesize
445KB

Download
memory/1820-20-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2528-19-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download