0a1bd02db78f99cc90cd8bf29e0d6a90383c5554e5c697145a08edbed1e3fdd5

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231a24d4ed8f62711f00f3fa44be5abe_JaffaCakes118.exe
Size

119KB
MD5

231a24d4ed8f62711f00f3fa44be5abe
SHA1

41b214d0ed0809e329f71a2862160ecb52a0da5c
SHA256

0a1bd02db78f99cc90cd8bf29e0d6a90383c5554e5c697145a08edbed1e3fdd5
SHA512

6164efc8bdff3356f4e16b679f1ea0ac0d32ab11d8b766974c3817b7f0b34fe4488a623ec0fad5df609760170bdec15da8a06d0f58d2ee7c5fec5cf371a2a9aa
SSDEEP

3072:hi9LGd2q6kfXlS5S5dV8kkzxva1glin3hMIfo49UUaRkc9:sNO+kfXOTPtC1jnOCuJ

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	permeb.exe

Executes dropped EXE 2 IoCs

pid	Process
3688	Mympc.EXE
2400	permeb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	231a24d4ed8f62711f00f3fa44be5abe_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program files\MSDN\LHL13.sys	permeb.exe
File created	C:\Program files\MSDN\000000001	permeb.exe
File opened for modification	C:\Program files\MSDN\000000001	permeb.exe
File created	C:\Program files\MSDN\hehex.sys	permeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3688	Mympc.EXE
3688	Mympc.EXE
3688	Mympc.EXE
3688	Mympc.EXE
2400	permeb.exe
2400	permeb.exe
2400	permeb.exe
2400	permeb.exe
2400	permeb.exe
2400	permeb.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	Mympc.EXE
Token: SeDebugPrivilege	2400	permeb.exe
Token: SeDebugPrivilege	2400	permeb.exe
Token: SeDebugPrivilege	2400	permeb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 3688	1008	231a24d4ed8f62711f00f3fa44be5abe_JaffaCakes118.exe	83
PID 1008 wrote to memory of 3688	1008	231a24d4ed8f62711f00f3fa44be5abe_JaffaCakes118.exe	83
PID 1008 wrote to memory of 3688	1008	231a24d4ed8f62711f00f3fa44be5abe_JaffaCakes118.exe	83
PID 1008 wrote to memory of 2400	1008	231a24d4ed8f62711f00f3fa44be5abe_JaffaCakes118.exe	85
PID 1008 wrote to memory of 2400	1008	231a24d4ed8f62711f00f3fa44be5abe_JaffaCakes118.exe	85
PID 1008 wrote to memory of 2400	1008	231a24d4ed8f62711f00f3fa44be5abe_JaffaCakes118.exe	85
PID 2400 wrote to memory of 4596	2400	permeb.exe	86
PID 2400 wrote to memory of 4596	2400	permeb.exe	86
PID 2400 wrote to memory of 4596	2400	permeb.exe	86
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57
PID 2400 wrote to memory of 3436	2400	permeb.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\231a24d4ed8f62711f00f3fa44be5abe_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\231a24d4ed8f62711f00f3fa44be5abe_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mympc.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mympc.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\permeb.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\permeb.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c time 16:50:00
      4⤵
      PID:4596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t.bat" "
      4⤵
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSDN\000000001

Filesize
8KB

MD5
7b1d01fad8b247b3d47db3a9f05c86d3

SHA1
f825fb0a29c019189866dad0e8b1ac0101523101

SHA256
459f3980be19ae8ed7bdb0c859a7514d42deeac0c2e39b639d433852a7fea3a5

SHA512
6717ea9a47de71d0f3d9ce6d6a5572c704fec609ef38bc4106006c4ec4a42d1ba16182db3522627e677b3e140007297c8c77bf55f4d733188996d4adac73c43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mympc.EXE

Filesize
54KB

MD5
979808206cfa455cd32111ab8ca4f4b9

SHA1
20c034ecaaafa703106d798d6df4d6f57bfc2000

SHA256
5c663c657cfe604adc342d5eb4c6919584826e4adc0503634397bb38f40d54a5

SHA512
2ef25f0fdd0257a27b6d3626c8820686fcac948f73ddd4cc6a998d363868f1d6ed22f452d4b0bec5aaa965fb89817d7dce83486952fb7a2593b73c352b28dcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\permeb.exe

Filesize
35KB

MD5
85ed22654fc8bcc661c11b3ccf81568d

SHA1
71da527055d50f463a0c2d9092f7857ab86f21c9

SHA256
b79bbb862df478e1907bb93da375c746520ceb155f556dc449216ebb8ea1568e

SHA512
1c795289d3bb82ef208f63dbb5dd838a5d945aa22b706671e9bd47652156a064a61c48e8cc59ef9e21fa308d6d90dd92be76925d232a112798c3433b635a7e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.bat

Filesize
158B

MD5
f9b6b110827f448834c151c807aff2bc

SHA1
384fdc6f42be00e28a94ed40e0b2cd5ed0186dd4

SHA256
dd4d6d606113368130d6bec71b14eea5173d3b21b960c05bdacbbad7221b74b0

SHA512
25653a90fa023114f1e62df26edf2f2b3198fa9f5a7e5c7d70fa617972f2352cf1c29e51c137df132e1b5c3149233dbf4fb4a477adc7093f243590e19e68b9fb

Download Submit
memory/2400-13-0x0000000002090000-0x0000000002095000-memory.dmp

Filesize
20KB

Download
memory/2400-14-0x0000000002090000-0x0000000002095000-memory.dmp

Filesize
20KB

Download
memory/3688-6-0x0000000000A40000-0x0000000000A53000-memory.dmp

Filesize
76KB

Download
memory/3688-8-0x0000000000A40000-0x0000000000A53000-memory.dmp

Filesize
76KB

Download