9dd2ebe0457217be185a81c7acccc36b605660676a19776743ecf566292c1618

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 09:47

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe
Size

184KB
MD5

62bc291e3e45b6f48a745519e33e3b64
SHA1

e7180c6ab49a05ed0c0990381d834b4907251ec6
SHA256

9dd2ebe0457217be185a81c7acccc36b605660676a19776743ecf566292c1618
SHA512

aa9ddd1fa7f95414103f6a29133d28cc27f07235d227d39c921c177b8bfc3d0bbbe35dd4cdee19ae1c452e6d2141d8364971c305e6cce21dcc6188dad8655a97
SSDEEP

3072:vp8Ty6kYWzKL2QIyZZfsSYDTkHe0HOUpOtJgA63WRaVVG6oFN0SuzjrRQQKR:hEWzq2bAZfsSYDTse0wz23WMVppzBQQO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	inl8927.tmp

Executes dropped EXE 4 IoCs

pid	Process
1504	inl8927.tmp
3496	lieC97C.tmp
1100	kilF3B9.tmp
1172	lanmam.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wbem\fxsst.dll	inl8927.tmp
File created	C:\Windows\SysWOW64\wbem\FXSAPI.dll	inl8927.tmp

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\temp0\gg.exe	kilF3B9.tmp
File opened for modification	C:\Program Files\temp0\gg.exe	kilF3B9.tmp
File created	C:\Program Files (x86)\LiveMeeting\rarExts32.dat	inl8927.tmp
File created	C:\Program Files\iexplore.exe	lieC97C.tmp
File opened for modification	C:\Program Files\iexplore.exe	lieC97C.tmp
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	lieC97C.tmp
File created	\??\c:\Program Files\lanmam.exe	kilF3B9.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4360	1100	WerFault.exe	115

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000b00000002347a-120.dat	nsis_installer_2

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "227"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1504	inl8927.tmp
1504	inl8927.tmp
1100	kilF3B9.tmp
1100	kilF3B9.tmp
1100	kilF3B9.tmp
1100	kilF3B9.tmp
1100	kilF3B9.tmp
1100	kilF3B9.tmp

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe
Token: SeShutdownPrivilege	1504	inl8927.tmp
Token: SeIncBasePriorityPrivilege	1504	inl8927.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3308	LogonUI.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 2068	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	87
PID 4940 wrote to memory of 2068	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	87
PID 4940 wrote to memory of 2068	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	87
PID 4940 wrote to memory of 4616	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	89
PID 4940 wrote to memory of 4616	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	89
PID 4940 wrote to memory of 4616	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	89
PID 4940 wrote to memory of 2620	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	90
PID 4940 wrote to memory of 2620	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	90
PID 4940 wrote to memory of 2620	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	90
PID 4940 wrote to memory of 2132	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	92
PID 4940 wrote to memory of 2132	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	92
PID 4940 wrote to memory of 2132	4940	62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe	92
PID 4616 wrote to memory of 4116	4616	cmd.exe	94
PID 4616 wrote to memory of 4116	4616	cmd.exe	94
PID 4616 wrote to memory of 4116	4616	cmd.exe	94
PID 2620 wrote to memory of 5076	2620	cmd.exe	95
PID 2620 wrote to memory of 5076	2620	cmd.exe	95
PID 2620 wrote to memory of 5076	2620	cmd.exe	95
PID 2068 wrote to memory of 1504	2068	cmd.exe	97
PID 2068 wrote to memory of 1504	2068	cmd.exe	97
PID 2068 wrote to memory of 1504	2068	cmd.exe	97
PID 1504 wrote to memory of 3736	1504	inl8927.tmp	106
PID 1504 wrote to memory of 3736	1504	inl8927.tmp	106
PID 1504 wrote to memory of 3736	1504	inl8927.tmp	106
PID 3736 wrote to memory of 3496	3736	cmd.exe	108
PID 3736 wrote to memory of 3496	3736	cmd.exe	108
PID 3736 wrote to memory of 3496	3736	cmd.exe	108
PID 1504 wrote to memory of 1608	1504	inl8927.tmp	113
PID 1504 wrote to memory of 1608	1504	inl8927.tmp	113
PID 1504 wrote to memory of 1608	1504	inl8927.tmp	113
PID 1608 wrote to memory of 1100	1608	cmd.exe	115
PID 1608 wrote to memory of 1100	1608	cmd.exe	115
PID 1608 wrote to memory of 1100	1608	cmd.exe	115
PID 1100 wrote to memory of 1172	1100	kilF3B9.tmp	119
PID 1100 wrote to memory of 1172	1100	kilF3B9.tmp	119
PID 1100 wrote to memory of 1172	1100	kilF3B9.tmp	119
PID 1100 wrote to memory of 4772	1100	kilF3B9.tmp	120
PID 1100 wrote to memory of 4772	1100	kilF3B9.tmp	120
PID 1100 wrote to memory of 4772	1100	kilF3B9.tmp	120
PID 1504 wrote to memory of 2904	1504	inl8927.tmp	131
PID 1504 wrote to memory of 2904	1504	inl8927.tmp	131
PID 1504 wrote to memory of 2904	1504	inl8927.tmp	131

C:\Users\Admin\AppData\Local\Temp\62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62bc291e3e45b6f48a745519e33e3b64_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\inl8927.tmp
    C:\Users\Admin\AppData\Local\Temp\inl8927.tmp amd-k5p4g.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Users\Admin\AppData\Local\Temp\lieC97C.tmp
        
        C:\Users\Admin\AppData\Local\Temp\lieC97C.tmp
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\kilF3B9.tmp
        
        C:\Users\Admin\AppData\Local\Temp\kilF3B9.tmp
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 268
        6⤵
        Program crash
        
        PID:4360
      - \??\c:\Program Files\lanmam.exe
        
        "c:\Program Files\lanmam.exe"
        6⤵
        Executes dropped EXE
        
        PID:1172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
        6⤵
        
        PID:4772
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl8927.tmp > nul
      4⤵
      PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:4116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
    3⤵
    - Drops file in Windows directory
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\62BC29~1.EXE > nul
  2⤵
  PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1100 -ip 1100
1⤵
PID:2536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3918855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\lanmam.exe

Filesize
10.3MB

MD5
5ba04691a58be32b2d7aa8a0a4971c83

SHA1
ec60d4f28473af997dbea89e3826dd777399d5aa

SHA256
6c28cc15a1a983528c740de15d9b515e64666ea2704220046f2a1c77862428c4

SHA512
0fb18e9ce270e6ee2c1ad4bd4dd13ee89c7252cf8459a4de4888bdfbd087393cccf0385fbf2efcf4c944bc7eb700e5c95819a262703069b949ed0455b09d9d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
9a7913f7d43e9ed9c1d356aa4b67dba0

SHA1
a0dcdedc4af90915c549ad06334b68239250f91f

SHA256
94e4e057e2b806bec5373ac4650a6e4b62c1e39174223b0a6d1594b3418c5451

SHA512
b87e929dd173876972159031e71fee4530ce9476a479fbe1067061aac03b08795d41013465c001f34746912688b6140b6ab6da35e494227791ae19cf481f32ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\amd-k5p4g.tmp

Filesize
762B

MD5
0a2553f4124abf2bbcabebbc351e854d

SHA1
f711f372d5eb8923a070d90ac987430286e443b1

SHA256
7668062e8620f463bc3e393f8f733626dec0181af5b95edeaa4ba3bc5c4cdf63

SHA512
0e0a22bff586569ea85efc3a67f719309adb052b5a83218cdad120c45b0cb1ed338c026ca2bba145074beb09777f2068231c94b895253edadbf6f30625d192c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
59B

MD5
1f724e7b301dc445819c68fc4c018b11

SHA1
2f305b3c0f89bf20b77bfb9f8b4c8d09c39ce8bc

SHA256
98fe984e0ef2c57cd79689c9efb4d26a236774dcb6f71da51b3c458efd3158e5

SHA512
3747e90a63f32db6ec30df65139df6fbb89cadf144b46c76af9466edb1e3303ccaf2cf3289e8365cafaed098342fd778fee1702f51ef4bad669e47dd7fae6620

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat

Filesize
45B

MD5
6850c8abd71db14d768b788167421754

SHA1
ebc1b343d95f5f9d30c0be95afad5468b8327d21

SHA256
c48c280171b2f4b8492558a50ba5b7b08256619470bfa7c220a41068f8ce6d3f

SHA512
c30c944d6e2d3c676c97b525d737dda0c436d6388d65152cef8e26b5461a3f0420ff16d74d1f03865ecb81ec6badcbfa80b0dc729ceab5388f68d518dbd8eb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat

Filesize
45B

MD5
a99316ad9e40a4f101122e5635580ccd

SHA1
24a61d2478ac2c18b1c390b6f28d92951e91fb24

SHA256
6707d20ca22bb1672cae84db9a1d841b40fcfc0ee721adfc313733cdd5b69711

SHA512
b02e1fe914dd09b8f16dd027b516b53147084e20364abb6599dd50c02151c05eb6916f02381657431e89de5845dcd4c6d125ed33b19816560ede9bdc106f8d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat

Filesize
94B

MD5
d5fc3a9ec15a6302543438928c29e284

SHA1
fd4199e543f683a8830a88f8ac0d0f001952b506

SHA256
b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

SHA512
4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
167KB

MD5
9e1fb0f6af1ab9403ef4645067d22abb

SHA1
d48faf1dba713d045d0baa611bde6b4e65286779

SHA256
7299a2559fb7fb62816f935f22f1008a8fe59f34232187e313c022f7f11502e6

SHA512
8ec6a981c172912a87baee7128baeb21ba507153167c2c4eb4d312e953312c2da8130a2faf55fd93fb2c201e1d08c39705966a9513ee08fc2b2aaf15ae217e79

Download Submit
\??\c:\users\admin\appdata\local\temp\desktop_url.cab

Filesize
478B

MD5
014cbee9a56b715b40bf1f4f138a98f8

SHA1
1cface858e3fa5ab70aa475643e02f9bf4631f79

SHA256
56d7c37ccf304bb7c28297e70673c8ac5033d98df1bd4b943ae3473cb030398c

SHA512
89e3a135a65a79473d13bc1ef868be5f972caa68c4eac62a82b84de40df0e0fd7c1849c890a2b9be9f1f108877de630c65cdcd07335daf47b48be869c5f0ae60

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/1100-116-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1100-124-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1504-68-0x0000000000190000-0x0000000000193000-memory.dmp

Filesize
12KB

Download
memory/1504-70-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1504-100-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1504-101-0x0000000000190000-0x0000000000193000-memory.dmp

Filesize
12KB

Download
memory/1504-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1504-67-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3496-96-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3496-99-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4940-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4940-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4940-25-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/4940-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download