ff9e2185ba5a2ea17991b95d072e6fab0d14fca400e286fa0f8d6e04b8334b42

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 19:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe
Size

1.2MB
MD5

4b1317a5355040e5e98b0050049c05de
SHA1

56f0b84b53537ed6ae9b6eb44d719c795e1c3d35
SHA256

ff9e2185ba5a2ea17991b95d072e6fab0d14fca400e286fa0f8d6e04b8334b42
SHA512

0f233a7f4c3e4d5d21022a064707484d2126dbf2821de340248d7efa92636514ea5f8822a90db36f7b39f930ea1d36a5ac177da50aa82ac52e14c22548cac44a
SSDEEP

24576:sSPTjARS0o/8z1+s2G15yFbQFWk0RSU9VD6m14Z:skTsA+1x2G182F89t/1

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1004	KXW.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KXW Start = "C:\\Windows\\SysWOW64\\SXOTKK\\KXW.exe"	KXW.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SXOTKK\KXW.004	4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SXOTKK\KXW.001	4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SXOTKK\KXW.002	4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SXOTKK\AKV.exe	4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SXOTKK\KXW.exe	4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 1004	3452	4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe	86
PID 3452 wrote to memory of 1004	3452	4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe	86
PID 3452 wrote to memory of 1004	3452	4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b1317a5355040e5e98b0050049c05de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\SysWOW64\SXOTKK\KXW.exe
  "C:\Windows\system32\SXOTKK\KXW.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SXOTKK\AKV.exe

Filesize
500KB

MD5
5a45ea24cce078dcf28664856734565d

SHA1
7e38e0649eae4b0f382c182d0483d9e4c0be26fa

SHA256
385f990c5fb25dc42a5f5a1128c8d20b9956a0790461c62c56607600c8ba7d5a

SHA512
7c466effc080db3c082a3a81cd22a1ee039104ebc9588921124490ceab84b2d5c1b1f4f82dfba95114661311276448297946296b2c4ad9d55cee2e3b710c12e5

Download Submit
C:\Windows\SysWOW64\SXOTKK\KXW.001

Filesize
69KB

MD5
c7fbfdd2d7ded71b4b6281efa26eeede

SHA1
f2f31ff2fab0c96ce978543ec741c6c82dfb7dbc

SHA256
f06fc708de125585f9bfb0c768e1d76f24b6e888875aafdc8c2b670663492737

SHA512
768cd3f899c7d68b426a5bcb5befd4570032ded9a40ceb0cbde618c23016c59e32b03b6b6963b207f7e58621fca2e3ea6d144c1457f69a0b9ef94ed03e83d041

Download Submit
C:\Windows\SysWOW64\SXOTKK\KXW.002

Filesize
54KB

MD5
e7879e2f301a885bb46ec1782a6d6278

SHA1
1aa00ac15c7748432b448be0f8a0d760222024bd

SHA256
9a65b644da2a50ebebaab51c46e8748587d08aaad64102c3df19d996d12dfcef

SHA512
7aa02f3bc0e87ea1afb0b42664891e5198b38796b3fac0deaeff0e92c59892b8a5b985e5d834c713868818a1be6f82cebabab1ac79a286f88c1d57452143a8ed

Download Submit
C:\Windows\SysWOW64\SXOTKK\KXW.004

Filesize
1KB

MD5
9a6a6d29d56b7c15749a769b08af9657

SHA1
c2cf4527f0d70f5baa6f3938762ecaa96d21cd84

SHA256
cb8bffe544cbe0a92395a063f5ca65e3622012c8df0df4f696b6ad98bc1ac6a0

SHA512
73b3222bce02b9705aab6461fc931c3d791e63bfae3e4f113a14b34f70e98f9f713a3ea53f8423329892ab338ef60c912bb7481e75b677f70c63ea1df3bef9be

Download Submit
C:\Windows\SysWOW64\SXOTKK\KXW.exe

Filesize
1.7MB

MD5
e4bb483573e6bc82f09578f0b48324a5

SHA1
9a60cf20d832af49fb8ae6c484d0f39028d93d04

SHA256
30b3f04eb8b0820b33c8bc50c159ade06a4a29e4361f917b13bdd9323f4a3127

SHA512
8461aefddde57e467601928789f301c0c5bc42e7c7e4aaaf2dcb7ac6a2aea0d5be51db3daf6c9b11f1d78304de72ae8cf71dd8697d636db4f1767a8f8c6ab35b

Download Submit
memory/1004-16-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1004-17-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads