3c8e27839fdb996fb19bec6e9ea1e811b18325c900e3e54aef49b372e431e04a

Analysis

max time kernel
142s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cb3891ed44b490fbf70749d9bc64054_JaffaCakes118.exe
Size

1.3MB
MD5

5cb3891ed44b490fbf70749d9bc64054
SHA1

6d812012b11befd895e5dc3f940f0c74d5b32f94
SHA256

3c8e27839fdb996fb19bec6e9ea1e811b18325c900e3e54aef49b372e431e04a
SHA512

2b6d33ccd02c002a267b7fdb8aba3680a8f3643231ef7e965ad307bdfd59557ce15cc136dae63511892a19ba53dcaadff0941e64064c10a0ebe098c078b7a1e5
SSDEEP

24576:7bY8FhHqHGruiiNI888kpdG42kCj62b0IBq3uDiB98pP:vJYHcAIggKkCjFgL+e8pP

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\isass.exe = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\isass.exe = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\isass.exe = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5cb3891ed44b490fbf70749d9bc64054_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 3 IoCs

pid	Process
1608	setup.exe
1984	isass.exe
4020	multi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
5116	reg.exe
4340	reg.exe
764	reg.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2636	5cb3891ed44b490fbf70749d9bc64054_JaffaCakes118.exe
2636	5cb3891ed44b490fbf70749d9bc64054_JaffaCakes118.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe
1608	setup.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1608	setup.exe
Token: SeIncBasePriorityPrivilege	1608	setup.exe
Token: SeIncBasePriorityPrivilege	1608	setup.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1608	2636	5cb3891ed44b490fbf70749d9bc64054_JaffaCakes118.exe	87
PID 2636 wrote to memory of 1608	2636	5cb3891ed44b490fbf70749d9bc64054_JaffaCakes118.exe	87
PID 2636 wrote to memory of 1608	2636	5cb3891ed44b490fbf70749d9bc64054_JaffaCakes118.exe	87
PID 1608 wrote to memory of 1984	1608	setup.exe	88
PID 1608 wrote to memory of 1984	1608	setup.exe	88
PID 1608 wrote to memory of 1984	1608	setup.exe	88
PID 1608 wrote to memory of 3112	1608	setup.exe	89
PID 1608 wrote to memory of 3112	1608	setup.exe	89
PID 1608 wrote to memory of 3112	1608	setup.exe	89
PID 3112 wrote to memory of 3184	3112	cmd.exe	91
PID 3112 wrote to memory of 3184	3112	cmd.exe	91
PID 3112 wrote to memory of 3184	3112	cmd.exe	91
PID 3184 wrote to memory of 5116	3184	cmd.exe	92
PID 3184 wrote to memory of 5116	3184	cmd.exe	92
PID 3184 wrote to memory of 5116	3184	cmd.exe	92
PID 1608 wrote to memory of 4020	1608	setup.exe	93
PID 1608 wrote to memory of 4020	1608	setup.exe	93
PID 1608 wrote to memory of 4020	1608	setup.exe	93
PID 1608 wrote to memory of 2856	1608	setup.exe	94
PID 1608 wrote to memory of 2856	1608	setup.exe	94
PID 1608 wrote to memory of 2856	1608	setup.exe	94
PID 2856 wrote to memory of 516	2856	cmd.exe	97
PID 2856 wrote to memory of 516	2856	cmd.exe	97
PID 2856 wrote to memory of 516	2856	cmd.exe	97
PID 516 wrote to memory of 4340	516	cmd.exe	98
PID 516 wrote to memory of 4340	516	cmd.exe	98
PID 516 wrote to memory of 4340	516	cmd.exe	98
PID 1608 wrote to memory of 3964	1608	setup.exe	99
PID 1608 wrote to memory of 3964	1608	setup.exe	99
PID 1608 wrote to memory of 3964	1608	setup.exe	99
PID 3964 wrote to memory of 2696	3964	cmd.exe	101
PID 3964 wrote to memory of 2696	3964	cmd.exe	101
PID 3964 wrote to memory of 2696	3964	cmd.exe	101
PID 2696 wrote to memory of 764	2696	cmd.exe	102
PID 2696 wrote to memory of 764	2696	cmd.exe	102
PID 2696 wrote to memory of 764	2696	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\5cb3891ed44b490fbf70749d9bc64054_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5cb3891ed44b490fbf70749d9bc64054_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\isass.exe
    "C:\Users\Admin\AppData\Local\isass.exe"
    3⤵
    - Executes dropped EXE
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c syscheck.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V isass.exe /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V isass.exe /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Adds policy Run key to start application
        Modifies registry key
        
        PID:5116
- - C:\Users\Admin\AppData\Local\multi.exe
    "C:\Users\Admin\AppData\Local\multi.exe"
    3⤵
    - Executes dropped EXE
    PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c syscheck.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V isass.exe /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:516
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V isass.exe /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Adds policy Run key to start application
        Modifies registry key
        
        PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c syscheck.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V isass.exe /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V isass.exe /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Adds policy Run key to start application
        Modifies registry key
        
        PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\multi.ini

Filesize
294B

MD5
40aa85e29ce2f20a3d819c18c1311567

SHA1
66e719af022ad7aa1cab184c143483ec53541c37

SHA256
e7b6c9ce836ef5bf0ae2cb0d376085ee80897f54d67b0ca9223825756837ed2f

SHA512
1489902def7131e81376225b7e5627eddc5c656a9a4516a116fa0ffdaf9ff0b5593f2cc6cc1884e4b9f165e2eb855f94775f056dab3731b6255d256352062272

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1.2MB

MD5
c20e871f96114bd7334208c7d9b9e050

SHA1
e56a0f87da5e982cd5d50aaa251527edb6a0fa12

SHA256
3d4048cf61a79fdf855f7f7537771335fdd6a7a3a4670ee7cdbe3d9e423bb47c

SHA512
e762a886cba53bacddb65df75612938e03def85ed448c67796e195e98589c0dc75771734489de51db2218ea4e50a495323e3de72a64159bb9be4e59a609151b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
168B

MD5
d3f3c14a20d4537a8287dfeeef397416

SHA1
ac0f75053a5e72ee49eb570892f5a93efb06bfbd

SHA256
589427c9fab1d3e2518f02c3186faf4dbcdbf3d741c7cdcac745b8935b768da5

SHA512
04254a19c3f587d1f7f6dbe72e9c55b2bd40451e42244d49b7d14750bf2484e726dfcb7597ffd32c6d90610b0e5ed162ff5ce59973f232f9a45e1b1feab923dd

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
416KB

MD5
3fd59fdf70ede4c49c947492bf07fe94

SHA1
dea7ef86710d87607efa132a41da197ca6cd187f

SHA256
6f4bf976afbabcd6748ce67a24de0e0bd3fe66dd6167a3c0614faf28d2eccee3

SHA512
8304f467527eebeb68b3b88515c2edb9d9fdbae1c9d880a76d8e44094305451677ee102d48850ee8c15e2cc699f6331e53e543f7d440a844e558ca8e77fb9f07

Download Submit
C:\Users\Admin\AppData\Local\multi.exe

Filesize
19KB

MD5
cd6c1339054ea66e67b3290a6e93c333

SHA1
a38f9ba70cca8aa96466e597fd240397553f7ba9

SHA256
2c95637cc1390ddf16c9a353ca0dad310afbab96e0c8a22d6b58053f01218639

SHA512
43c3cd783e0cfc9d96449c30a0e788dbbb423c4d1d8e134dc71a40fa9a076f6bdc1bd1d53e1ce15fbf06d58d30fd20337919093f20ebe82aae217bcc1cafff26

Download Submit
memory/1608-10-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1608-59-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/1984-20-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1984-60-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1984-61-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2636-8-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download