7b4be2cfc4f7c1c1310ebbfad20ee0eb9a2f5e46bb1316cc8e2970a9a487ef4b

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 11:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
Size

1.4MB
MD5

2224ac212dc4d07e3e8bdd8743fd98c0
SHA1

98dac7ab3562561695ce2d4fa396624d1e0361b9
SHA256

7b4be2cfc4f7c1c1310ebbfad20ee0eb9a2f5e46bb1316cc8e2970a9a487ef4b
SHA512

c6039603447296952c191a040fafe0b2e9f0ee4c1cb6036d835226eb2988a02638fb7c0f04871327dc4b6bcaa3229b2986b926fbc12cb8560fcf11c8696dc133
SSDEEP

24576:XigY3Z/GQ1/1OxP5JMD/jyaCTNZZOGJJDHp52xSnztnjPzzZpM:QZO3xxJA21XJFpMUPTM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe

Executes dropped EXE 12 IoCs

pid	Process
3860	Windows_NT_ck.EXE
2536	ZCsmss.exe
4316	WINsmss.exe
1340	smss.exe
4224	smss.exe
4672	smss.exe
860	smss.exe
4180	smss.exe
2224	smss.exe
116	smss.exe
3544	smss.exe
4116	smss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	smss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	smss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	smss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	smss.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\netgod\WIN_cke.txt	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\netgod\smss.chm	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\netgod\smss.exe	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\netgod\smss.exe	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\netgod\WINsmss.exe	ZCsmss.exe
File created	C:\Program Files\Common Files\netgod\js	smss.exe
File opened for modification	C:\Program Files\Common Files\netgod\WIN_cke.txt	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\netgod\Windows_NT_ck.EXE	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\netgod\ZCsmss.exe	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kzb	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
File created	C:\Windows\win32.btl	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
File opened for modification	C:\Windows\win32.btl	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	smss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	smss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WINsmss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WINsmss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WINsmss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WINsmss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	smss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	smss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	smss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	smss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WINsmss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	smss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	smss.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3776	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
3776	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
1340	smss.exe
1340	smss.exe
1340	smss.exe
1340	smss.exe
4224	smss.exe
4224	smss.exe
4224	smss.exe
4224	smss.exe
4672	smss.exe
4672	smss.exe
4672	smss.exe
4672	smss.exe
860	smss.exe
860	smss.exe
860	smss.exe
860	smss.exe
4180	smss.exe
4180	smss.exe
4180	smss.exe
4180	smss.exe
2224	smss.exe
2224	smss.exe
2224	smss.exe
2224	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
116	smss.exe
3544	smss.exe
3544	smss.exe
3544	smss.exe
3544	smss.exe
4116	smss.exe
4116	smss.exe
4116	smss.exe
4116	smss.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 3860	3776	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe	80
PID 3776 wrote to memory of 3860	3776	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe	80
PID 3776 wrote to memory of 3860	3776	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe	80
PID 3776 wrote to memory of 2536	3776	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe	81
PID 3776 wrote to memory of 2536	3776	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe	81
PID 3776 wrote to memory of 2536	3776	2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe	81
PID 4316 wrote to memory of 1340	4316	WINsmss.exe	83
PID 4316 wrote to memory of 1340	4316	WINsmss.exe	83
PID 4316 wrote to memory of 1340	4316	WINsmss.exe	83
PID 1340 wrote to memory of 4224	1340	smss.exe	85
PID 1340 wrote to memory of 4224	1340	smss.exe	85
PID 1340 wrote to memory of 4224	1340	smss.exe	85
PID 1340 wrote to memory of 4672	1340	smss.exe	93
PID 1340 wrote to memory of 4672	1340	smss.exe	93
PID 1340 wrote to memory of 4672	1340	smss.exe	93
PID 1340 wrote to memory of 860	1340	smss.exe	94
PID 1340 wrote to memory of 860	1340	smss.exe	94
PID 1340 wrote to memory of 860	1340	smss.exe	94
PID 1340 wrote to memory of 4180	1340	smss.exe	95
PID 1340 wrote to memory of 4180	1340	smss.exe	95
PID 1340 wrote to memory of 4180	1340	smss.exe	95
PID 1340 wrote to memory of 2224	1340	smss.exe	96
PID 1340 wrote to memory of 2224	1340	smss.exe	96
PID 1340 wrote to memory of 2224	1340	smss.exe	96
PID 1340 wrote to memory of 116	1340	smss.exe	97
PID 1340 wrote to memory of 116	1340	smss.exe	97
PID 1340 wrote to memory of 116	1340	smss.exe	97
PID 1340 wrote to memory of 3544	1340	smss.exe	98
PID 1340 wrote to memory of 3544	1340	smss.exe	98
PID 1340 wrote to memory of 3544	1340	smss.exe	98
PID 1340 wrote to memory of 4116	1340	smss.exe	99
PID 1340 wrote to memory of 4116	1340	smss.exe	99
PID 1340 wrote to memory of 4116	1340	smss.exe	99

C:\Users\Admin\AppData\Local\Temp\2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2224ac212dc4d07e3e8bdd8743fd98c0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Program Files\Common Files\netgod\Windows_NT_ck.EXE
  "C:\Program Files\Common Files\netgod\Windows_NT_ck.EXE"
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Program Files\Common Files\netgod\ZCsmss.exe
  "C:\Program Files\Common Files\netgod\ZCsmss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2536

C:\Program Files\Common Files\netgod\WINsmss.exe
"C:\Program Files\Common Files\netgod\WINsmss.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Program Files\Common Files\netgod\smss.exe
  "C:\Program Files\Common Files\netgod\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Program Files\Common Files\netgod\smss.exe
    "C:\Program Files\Common Files\netgod\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4224
- - C:\Program Files\Common Files\netgod\smss.exe
    "C:\Program Files\Common Files\netgod\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4672
- - C:\Program Files\Common Files\netgod\smss.exe
    "C:\Program Files\Common Files\netgod\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:860
- - C:\Program Files\Common Files\netgod\smss.exe
    "C:\Program Files\Common Files\netgod\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4180
- - C:\Program Files\Common Files\netgod\smss.exe
    "C:\Program Files\Common Files\netgod\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2224
- - C:\Program Files\Common Files\netgod\smss.exe
    "C:\Program Files\Common Files\netgod\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:116
- - C:\Program Files\Common Files\netgod\smss.exe
    "C:\Program Files\Common Files\netgod\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3544
- - C:\Program Files\Common Files\netgod\smss.exe
    "C:\Program Files\Common Files\netgod\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\netgod\WIN_cke.txt

Filesize
86B

MD5
d0e9a72869a0c6c7616897f8afb5eaeb

SHA1
877896037376e09049b31b9e9304f89e8492d3ba

SHA256
5e613b43a0cf963c25e860fbbab72d2a1923be75cab4e3d43574f22d48d455a0

SHA512
4cb1ba6c05ca49cf689b61d7956e767ca15d510128807dca04535ad3ca9bae40fc6e484a4b091b7be6fc6837a8f5ee71e4b4dc805cc7042ead0074928d86377d

Download Submit
C:\Program Files\Common Files\netgod\WINsmss.exe

Filesize
414KB

MD5
4e33aa0b5680b8c53b0490e20b5ca11d

SHA1
c5b043ad1606ce12fbf9f51427c4f3213f890fa8

SHA256
cf154d61950dd062d7ac54d21c681d5c3b9e68db4b102a45dbff8ae66abd55c8

SHA512
7bfa3187aca348dff28137d3a6cd07594dd458664327779fe6622ab29443ee67a46cde5784c802c150c39b20a82cb3e6d8a512974f1d001c803be26cf85b7230

Download Submit
C:\Program Files\Common Files\netgod\Windows_NT_ck.EXE

Filesize
42KB

MD5
95b4e517f60ce633f339acf6677d1677

SHA1
d81a2ba705446d79f75fb8a44cb401a039a3eab2

SHA256
32d8e32c69f5eccadd4d4e4847c4fe11ae425f7d755974feb65de95d5ed5ef8a

SHA512
20b655619638cff7b5e331e69537f62f1133f012c09764149e686418c534c8bd7b74cfcbf3d672068a873bff12e4fa27a7559188a2d5e8d36ced5d2fb8d5414d

Download Submit
C:\Program Files\Common Files\netgod\ZCsmss.exe

Filesize
504KB

MD5
838e10c73f2e5218b31baf7b2e2e2cd6

SHA1
24b3f667129f0f8e6d65a4d50f35f3e513607ba3

SHA256
ed6d5d4f385e5f37d46ee641c8d3a502466f8bab579c90bc7a8e1e92c29d9fd4

SHA512
adb5f5e4ebb5c32078df6630967e3a704e7935c3da74d29710ebc84b3441c77642c6abeb9597c7168aaf330151da22b667c65e7b80accd5a96bbfafe6f792839

Download Submit
C:\Program Files\Common Files\netgod\js

Filesize
4B

MD5
1a3aa576dd0f25f110d310cf935d47b9

SHA1
b1c11d2f05d11048091978c7a08cc246ddc744ec

SHA256
38b8c5db41f5490c3ddaf85ade2815af355ff196f2817992a1ab05776b8e4ba3

SHA512
e22a7e52e74b53bb548f6a3bccdec4a75bcbc2fb85ae3ffb0e3d11b2bd8fe1142d1b0b80eda30f58990e7b5dec99007e55a6e6c3ee8241280f94232acb5b1c5c

Download Submit
C:\Program Files\Common Files\netgod\smss.chm

Filesize
33B

MD5
01394833db1743c5bb1782e48da234a5

SHA1
2d896bfdbe4172bbe81640a49114a47a4d703f6f

SHA256
e9ccbff7e06a0d37a2f004078468ee90d8a5c6e34fd25c5a90252162e25690a5

SHA512
ab8da6490c03df9775ec70d719d2a8fa7c59214e247da469476e41daab4a1cf679053621ba126c11a11d2e4334280d24ce0bd9d63a19a88053f55073d6e7dc86

Download Submit
memory/116-65-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/860-49-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1340-32-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1340-36-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2224-60-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2536-26-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3544-71-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/3776-27-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3860-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4116-76-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4180-54-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4224-37-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4316-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4316-25-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4672-43-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download