f0cccead9c7b601d53c2898a5a78b75f7697a09bb999df05569656aa10a6e769

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
Size

287KB
MD5

4abae2b952a10dd442eef4ea4fa9015f
SHA1

8bd1cbf7d6699e9e36938345b5635aff4f601f12
SHA256

f0cccead9c7b601d53c2898a5a78b75f7697a09bb999df05569656aa10a6e769
SHA512

af4c28d62efde7e9af3df50f9eb5eed2f2c9d5d2593e3cc8513a7ba0b3b6f7d10c11d7033c51595efc73c81d0b366578c9f9db17a192b09e4ab402d71a65c787
SSDEEP

6144:bH1JN0LUy75+ZPPfnE2Qyn2SyIilK9Xy61Bt4g75+ZPPfnE2Qyn20Ur:T1f4F+ZPPfnEUnydYugF+ZPPfnEUnI

Score

7^/10

discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002350b-57.dat	acprotect
behavioral2/memory/3704-60-0x0000000073580000-0x0000000073589000-memory.dmp	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4448	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
4996	IETab.exe

Loads dropped DLL 12 IoCs

pid	Process
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3704-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000800000002350b-57.dat	upx
behavioral2/memory/3704-60-0x0000000073580000-0x0000000073589000-memory.dmp	upx
behavioral2/memory/3704-74-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IETab = "C:\\Program Files (x86)\\IETab\\IETab.exe"	IETab.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3704 set thread context of 4448	3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe	88

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IETab\IETab.exe	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
File created	C:\Program Files (x86)\IETab\Uninstall.exe	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4996	IETab.exe
4996	IETab.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 4996	3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe	86
PID 3704 wrote to memory of 4996	3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe	86
PID 3704 wrote to memory of 4996	3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe	86
PID 3704 wrote to memory of 4448	3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe	88
PID 3704 wrote to memory of 4448	3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe	88
PID 3704 wrote to memory of 4448	3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe	88
PID 3704 wrote to memory of 4448	3704	4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe	88
PID 4996 wrote to memory of 1276	4996	IETab.exe	89
PID 4996 wrote to memory of 1276	4996	IETab.exe	89
PID 4996 wrote to memory of 1276	4996	IETab.exe	89

C:\Users\Admin\AppData\Local\Temp\4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4abae2b952a10dd442eef4ea4fa9015f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Program Files (x86)\IETab\IETab.exe
  "C:\Program Files (x86)\IETab\IETab.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\IETab\IETab.dll"
    3⤵
    PID:1276
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IETab\IETab.exe

Filesize
102KB

MD5
d4d3eaf1936ba7bc33c9915a9d15443b

SHA1
17a662a957539473dd73b494248cf538e1a1736b

SHA256
5e4beb7e70af6f40217db1869da66458e1fedb5452dfafa1985384615876b1ea

SHA512
eb99e6d9db330e43cf0e0c143a071ee2bc809485c44098fb740583d037b7ab177992fdb7c5a0ead75951625966bf2c03038178102654da326a7fc125b3abaa95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\SelfDel.dll

Filesize
4KB

MD5
7cff7fe2caea5184d98c147e7e263132

SHA1
21f39d3d0dd5f7198d67ef30e95d10ae3460093e

SHA256
281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101

SHA512
fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\UAC.dll

Filesize
13KB

MD5
29858669d7da388d1e62b4fd5337af12

SHA1
756b94898429a9025a04ae227f060952f1149a5f

SHA256
c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

SHA512
6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/3704-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3704-44-0x0000000002F50000-0x0000000002F76000-memory.dmp

Filesize
152KB

Download
memory/3704-60-0x0000000073580000-0x0000000073589000-memory.dmp

Filesize
36KB

Download
memory/3704-74-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4448-75-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download