0b36f9990b83338a823f030e12fcd9a866a2cfcb434150d3e59c708a80a88102

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
Size

65KB
MD5

772952cfacf381892590ce0ccc4bb384
SHA1

734e0306c531e9ffbf22b60e7c744e04f65fa79f
SHA256

0b36f9990b83338a823f030e12fcd9a866a2cfcb434150d3e59c708a80a88102
SHA512

1bc8e5145a9c5fde67c5df7289b32fee5720b5af7007c3fd5c3287c74c4754812552c2b6cef2ce77582233b8a8a2312975acc5c7687b0694cdec528456912d21
SSDEEP

768:gqipbWxcGn+dNHyIztJT2W/V4EaRS8ZGMhpyNKnoBXzHpBRjG8CkFMRKVytHmDbX:6ScCqrztJi2icNKnoBX7RylHmH

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	pwrshplugin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	netprofm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	ngccredprov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	wups.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sensapi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	kbdcr.exe

Executes dropped EXE 6 IoCs

pid	Process
2572	netprofm.exe
4492	ngccredprov.exe
3320	wups.exe
2756	sensapi.exe
2420	kbdcr.exe
3948	pwrshplugin.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\netprofm.exe	772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sensapi.exe	wups.exe
File opened for modification	C:\Windows\SysWOW64\ngccredprov.exe	netprofm.exe
File created	C:\Windows\SysWOW64\kbdcr.exe	sensapi.exe
File opened for modification	C:\Windows\SysWOW64\kbdcr.exe	sensapi.exe
File created	C:\Windows\SysWOW64\pwrshplugin.exe	kbdcr.exe
File opened for modification	C:\Windows\SysWOW64\windows.storage.applicationdata.exe	pwrshplugin.exe
File created	C:\Windows\SysWOW64\ngccredprov.exe	netprofm.exe
File opened for modification	C:\Windows\SysWOW64\sensapi.exe	wups.exe
File opened for modification	C:\Windows\SysWOW64\pwrshplugin.exe	kbdcr.exe
File created	C:\Windows\SysWOW64\windows.storage.applicationdata.exe	pwrshplugin.exe
File opened for modification	C:\Windows\SysWOW64\netprofm.exe	772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wups.exe	ngccredprov.exe
File opened for modification	C:\Windows\SysWOW64\wups.exe	ngccredprov.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5076	4972	WerFault.exe	83
1748	3948	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pwrshplugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wups.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sensapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngccredprov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbdcr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2572	4972	772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe	92
PID 4972 wrote to memory of 2572	4972	772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe	92
PID 4972 wrote to memory of 2572	4972	772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe	92
PID 4972 wrote to memory of 2368	4972	772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe	94
PID 4972 wrote to memory of 2368	4972	772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe	94
PID 4972 wrote to memory of 2368	4972	772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe	94
PID 2572 wrote to memory of 4492	2572	netprofm.exe	100
PID 2572 wrote to memory of 4492	2572	netprofm.exe	100
PID 2572 wrote to memory of 4492	2572	netprofm.exe	100
PID 2572 wrote to memory of 4372	2572	netprofm.exe	101
PID 2572 wrote to memory of 4372	2572	netprofm.exe	101
PID 2572 wrote to memory of 4372	2572	netprofm.exe	101
PID 4492 wrote to memory of 3320	4492	ngccredprov.exe	105
PID 4492 wrote to memory of 3320	4492	ngccredprov.exe	105
PID 4492 wrote to memory of 3320	4492	ngccredprov.exe	105
PID 4492 wrote to memory of 4752	4492	ngccredprov.exe	106
PID 4492 wrote to memory of 4752	4492	ngccredprov.exe	106
PID 4492 wrote to memory of 4752	4492	ngccredprov.exe	106
PID 3320 wrote to memory of 2756	3320	wups.exe	108
PID 3320 wrote to memory of 2756	3320	wups.exe	108
PID 3320 wrote to memory of 2756	3320	wups.exe	108
PID 3320 wrote to memory of 4564	3320	wups.exe	109
PID 3320 wrote to memory of 4564	3320	wups.exe	109
PID 3320 wrote to memory of 4564	3320	wups.exe	109
PID 2756 wrote to memory of 2420	2756	sensapi.exe	111
PID 2756 wrote to memory of 2420	2756	sensapi.exe	111
PID 2756 wrote to memory of 2420	2756	sensapi.exe	111
PID 2756 wrote to memory of 1532	2756	sensapi.exe	112
PID 2756 wrote to memory of 1532	2756	sensapi.exe	112
PID 2756 wrote to memory of 1532	2756	sensapi.exe	112
PID 2420 wrote to memory of 3948	2420	kbdcr.exe	114
PID 2420 wrote to memory of 3948	2420	kbdcr.exe	114
PID 2420 wrote to memory of 3948	2420	kbdcr.exe	114
PID 2420 wrote to memory of 2284	2420	kbdcr.exe	115
PID 2420 wrote to memory of 2284	2420	kbdcr.exe	115
PID 2420 wrote to memory of 2284	2420	kbdcr.exe	115
PID 3948 wrote to memory of 824	3948	pwrshplugin.exe	120
PID 3948 wrote to memory of 824	3948	pwrshplugin.exe	120
PID 3948 wrote to memory of 824	3948	pwrshplugin.exe	120

C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\netprofm.exe
  "C:\Windows\system32\netprofm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\ngccredprov.exe
    "C:\Windows\system32\ngccredprov.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\wups.exe
      "C:\Windows\system32\wups.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3320
    - - C:\Windows\SysWOW64\sensapi.exe
        
        "C:\Windows\system32\sensapi.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\kbdcr.exe
        
        "C:\Windows\system32\kbdcr.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\pwrshplugin.exe
        
        "C:\Windows\system32\pwrshplugin.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\pwrshplugin.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1776
        8⤵
        Program crash
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdcr.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\sensapi.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wups.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\ngccredprov.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\netprofm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1676
  2⤵
  - Program crash
  PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4972 -ip 4972
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3948 -ip 3948
1⤵
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\kbdcr.exe

Filesize
65KB

MD5
6b12079905353565bfe29a749eb7716e

SHA1
f9839a23e13d8200e57cdb9f6c1e94fb844a4c49

SHA256
20c42d14a0e73ae3808fc1616886350c14613bf328e352e1030ac68e323af0b7

SHA512
074c2bdf3f4228b16decf1226fd01e4cb3a074cd49848f0f9304f1989a1c31f15faec7a9e4b7c8eff617ae50717b14873fc88c6309c5f739df8352521bdb2ab1

Download Submit
C:\Windows\SysWOW64\netprofm.exe

Filesize
65KB

MD5
75e16b2c31eece91aad5fa8e8286fed6

SHA1
d6b52289d8b27618638422869f5428b1c65e4d46

SHA256
b993d6aff29d76684dad23e4b7547bbb7ecb347d09644ce0ca27e05d682b1393

SHA512
2c62c380ab057edb5ade68b7cda8680a68be1954e3a8fb124d10d5a16c1bdde31b54856ad866fe8aa005bb835ea2da9799d08d65113f68f6b9e6631dfe1539ab

Download Submit
C:\Windows\SysWOW64\ngccredprov.exe

Filesize
65KB

MD5
3cf4fb568b02a5cff86edd5f4315b573

SHA1
caee89129acbbb67ad46150048b2917c74403d60

SHA256
7242c1db29fa843c3127938d78515e92a26d03cb5aed6e9c737114b5b3bbca15

SHA512
4bb19783918f9ecb3691dbafaae026cff98580074b11065a2e5645f834a772123234fc8139ae452d3cdcd7b36578801f0e8e2d72aaf1f1599c68df62dc2e751e

Download Submit
C:\Windows\SysWOW64\pwrshplugin.exe

Filesize
65KB

MD5
c1bd56c24f249b3f3bda68706cb39d48

SHA1
b06682d73bd38cb719efbdb27e432fb0f58409c7

SHA256
dacd28a436dd235fb15b4be7628e4fdd0f95210c13b107fd53b865b403a63562

SHA512
76b96677e4501534363c52567aa62feea420f068e40f11e9a4c5912d2f0cd20d7f3a40171de3da0ca834cbe30aa6ae495a83fa09046d1091f1eb04815eceba01

Download Submit
C:\Windows\SysWOW64\sensapi.exe

Filesize
65KB

MD5
4917a344edba82df6579de1e409c9ef6

SHA1
5ce1b33d04c1117b3922e14d8370a8c2a2aa2607

SHA256
4741b75ebb637e5ef67f2b42d25ac56de8c86c67c63a2df5ed76b482bba77381

SHA512
8d63e669f2ca811136dfe17740cc2a3451dc1759d2a00779e915a3b11007614ce3e9067d840cbf37dafbe593b33c05e71f9ee696fb26f492aa613b211e8f764d

Download Submit
C:\Windows\SysWOW64\wups.exe

Filesize
65KB

MD5
0e954170b7d0581a7f47ed63b39d6e3c

SHA1
530a653beed24a03fff8896d57f92626f73edd1d

SHA256
96444036c05f993fee057661ea0faedd07a8cc6f905ae43a62e7bb0551c543b7

SHA512
d57ea7a8c7b476a607155c364f67b6ed1b731d7f4e419c2ae32545062ea4f562f0170499973b795d03463b1cd4a7d65c088f9d728d3cc8689bb242b06c7c815b

Download Submit
memory/2420-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2572-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2756-52-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2756-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3320-42-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3948-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3948-66-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4492-31-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4492-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4972-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4972-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download