65c070674f6e95dc8bbc95d3bda7c6af3924cc1366d99dfcd3e7ce0959b2d758

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 05:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe
Size

10KB
MD5

4056b919366ea6a51c5e9069f8472091
SHA1

c7ce6debc93e42d90756b9be5236d93acdde0cf9
SHA256

65c070674f6e95dc8bbc95d3bda7c6af3924cc1366d99dfcd3e7ce0959b2d758
SHA512

988f8df472f5578ab9d7446fef14b1018806f4860e128832d15c95ac62071a01ac489f853676e9df4052ee668fe7b7b84ce16cd751fce330ef6bc2d03eda97d1
SSDEEP

192:xmGWV65YDUC3s6zNVa0AwuvC0uUxQuhCFaNJhLkwcud2DH9VwGfctdk:xmUWDUCckVa5aTshmaNJawcudoD7Uo

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	7DBB.tmp

Executes dropped EXE 1 IoCs

pid	Process
1304	7DBB.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4816-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/4816-8-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsft = "C:\\WINDOWS\\sys32.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1536	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 1304	4816	4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe	83
PID 4816 wrote to memory of 1304	4816	4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe	83
PID 4816 wrote to memory of 1304	4816	4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe	83
PID 1304 wrote to memory of 4384	1304	7DBB.tmp	87
PID 1304 wrote to memory of 4384	1304	7DBB.tmp	87
PID 1304 wrote to memory of 4384	1304	7DBB.tmp	87
PID 4384 wrote to memory of 1536	4384	cmd.exe	89
PID 4384 wrote to memory of 1536	4384	cmd.exe	89
PID 4384 wrote to memory of 1536	4384	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\7DBB.tmp
  C:\Users\Admin\AppData\Local\Temp\7DBB.tmp C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Microsft /t REG_SZ /d C:\WINDOWS\sys32.exe
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:1536

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7DBB.tmp

Filesize
14KB

MD5
62bd906746e687180e6f496af2c74ba7

SHA1
c612dd94178b053ea120520a936131e0afb22390

SHA256
4225c5b7115c7a2f8c08cbfdf8cd0a8b28952a602f13580d674762d7b551054d

SHA512
4d9670448f4f574d22aa3139423d71921d368b755039563f063db3e703eb68fa1f85e2ddf8d5b1b72c6a1e8fe6eb94cfa28f943a212ccef4781ca0095cf0e67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
603B

MD5
e60896801e4777d71d000ec92507ab3b

SHA1
981e124730dc0f8a47cdbcc9a56af060a8d2b604

SHA256
a613337197cf51b0c48863891dedbc77608bed802cbb036393be82982e598ca0

SHA512
9a879e8b2cdd05581b27a9ba8cbae6eb2e5a770cc39987e2e135790ea70613f67e0f6dea27c1318e862b250eb51772ad10f8cfbb253db6fd62fe5f6275f295ee

Download Submit
memory/1304-4-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1304-12-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4816-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4816-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.