e157f424e315ee7d79218c7f756e9f4c05ee8817bb456fb35778db89e44e6dbb

Analysis

max time kernel
139s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63392ca1f784764ddbb4e9435f716281_JaffaCakes118.exe
Size

119KB
MD5

63392ca1f784764ddbb4e9435f716281
SHA1

e307418c7d8cc4e92ffe940404f5c7cd10a4479c
SHA256

e157f424e315ee7d79218c7f756e9f4c05ee8817bb456fb35778db89e44e6dbb
SHA512

d05187aec6877826ac32331a89190ee62705b03be5d7363856e157cec8d23c0c623a7d169656654297750630bf60ed42ab78c8b1e6608b383639efdb1235c011
SSDEEP

3072:Ei9LGd2q6kfXlSlY5dQ8kkzxva1Clin31o49UUaRyc9:VNO+kfXymPtC1VnluJ

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	TEMELL.exe

Executes dropped EXE 2 IoCs

pid	Process
4292	IMJECDY.EXE
856	TEMELL.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	63392ca1f784764ddbb4e9435f716281_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program files\MSDN\LHL13.sys	TEMELL.exe
File created	C:\Program files\MSDN\000000001	TEMELL.exe
File opened for modification	C:\Program files\MSDN\000000001	TEMELL.exe
File created	C:\Program files\MSDN\hehex.sys	TEMELL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4292	IMJECDY.EXE
4292	IMJECDY.EXE
4292	IMJECDY.EXE
4292	IMJECDY.EXE
856	TEMELL.exe
856	TEMELL.exe
856	TEMELL.exe
856	TEMELL.exe
856	TEMELL.exe
856	TEMELL.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	IMJECDY.EXE
Token: SeDebugPrivilege	856	TEMELL.exe
Token: SeDebugPrivilege	856	TEMELL.exe
Token: SeDebugPrivilege	856	TEMELL.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4292	1080	63392ca1f784764ddbb4e9435f716281_JaffaCakes118.exe	84
PID 1080 wrote to memory of 4292	1080	63392ca1f784764ddbb4e9435f716281_JaffaCakes118.exe	84
PID 1080 wrote to memory of 4292	1080	63392ca1f784764ddbb4e9435f716281_JaffaCakes118.exe	84
PID 1080 wrote to memory of 856	1080	63392ca1f784764ddbb4e9435f716281_JaffaCakes118.exe	86
PID 1080 wrote to memory of 856	1080	63392ca1f784764ddbb4e9435f716281_JaffaCakes118.exe	86
PID 1080 wrote to memory of 856	1080	63392ca1f784764ddbb4e9435f716281_JaffaCakes118.exe	86
PID 856 wrote to memory of 3440	856	TEMELL.exe	87
PID 856 wrote to memory of 3440	856	TEMELL.exe	87
PID 856 wrote to memory of 3440	856	TEMELL.exe	87
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56
PID 856 wrote to memory of 3556	856	TEMELL.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\63392ca1f784764ddbb4e9435f716281_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\63392ca1f784764ddbb4e9435f716281_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IMJECDY.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IMJECDY.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TEMELL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TEMELL.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c time 12:33:00
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t.bat" "
      4⤵
      PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSDN\000000001

Filesize
8KB

MD5
7dde7c2735c905f3c3af04a3b2be04b8

SHA1
1021754f763fe53358112affea64668eb2d2dbcd

SHA256
64bfbff18e448bd51d4b7981da921a557fc41381f6129c12d7b84a1402434ae5

SHA512
62586550dc3c3b97e4d352f95e41f38c8d13b4f1b3484ad337a57263fac58b5fa6c9df27700baaf12b716963e3a4f2a7626e180753abbdd91a005072dbcfca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IMJECDY.EXE

Filesize
54KB

MD5
979808206cfa455cd32111ab8ca4f4b9

SHA1
20c034ecaaafa703106d798d6df4d6f57bfc2000

SHA256
5c663c657cfe604adc342d5eb4c6919584826e4adc0503634397bb38f40d54a5

SHA512
2ef25f0fdd0257a27b6d3626c8820686fcac948f73ddd4cc6a998d363868f1d6ed22f452d4b0bec5aaa965fb89817d7dce83486952fb7a2593b73c352b28dcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TEMELL.exe

Filesize
35KB

MD5
2cba38fe1c56ef4e487c8dbbe2a74de7

SHA1
95688337d645320037591aa79e2315f660b5f7c5

SHA256
aef5e4d2c7b1abc21b011cb1d0753ea5061da0a30c2aba4dd0b65baa615732f8

SHA512
57e3f476881de9a2acf01bd88f3ea5bd617341f7938e7a0f5355f573b126bacf72e423173568fd5ebe286c5c45c51c7028e6bc12c3aa66d2aca63f3b14444f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.bat

Filesize
158B

MD5
05f215cb78d123b8caa21478e457dd12

SHA1
ac578ac9940c03dfce6141915a2b86462554a7dc

SHA256
880c98e97bc971dd47611dc7e5207983bf11c7f0f95ee1ac8e59f7a827f9edd8

SHA512
87a89524ec2d6632fe634b1078c71d4f4e373e2c1abf2849fe71a0b4e0bc8d03dc9308c7a6bdff29ec1aab8277307761e769820584b4921258ef9d84f572649b

Download Submit
memory/856-13-0x00000000021D0000-0x00000000021D5000-memory.dmp

Filesize
20KB

Download
memory/856-14-0x00000000021D0000-0x00000000021D5000-memory.dmp

Filesize
20KB

Download
memory/4292-6-0x00000000004F0000-0x0000000000503000-memory.dmp

Filesize
76KB

Download
memory/4292-8-0x00000000004F0000-0x0000000000503000-memory.dmp

Filesize
76KB

Download