7b40baaf1ee588d530e3a4b743348f05bb261cb034b2c8796f8ba6235205d959

Analysis

max time kernel
144s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
Size

1.8MB
MD5

8866dba5652fc6f8b46561fffff2f03b
SHA1

483819d65982b5ee0759eb11607028c50d9f0476
SHA256

7b40baaf1ee588d530e3a4b743348f05bb261cb034b2c8796f8ba6235205d959
SHA512

da67f353d311eb5e42e082c09d03aeb32d475af163c26dc3d4a65e2901aa95f7a5336772d84cc241dd95a09a47706c3d289b09766b36616543a6ee0f15b1dead
SSDEEP

24576:k3QOURPsEZnWXU4reYwPLjFwa9y/T43msrqIQtIyt+y71ZV+wl7Cr9s8rJ7:k3QZ5WyjFwM+sriTt+c1JerfV

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
872	PATRONUS KOXP 1823 3B.EXE
2616	RUNDLL.EXE

Loads dropped DLL 4 IoCs

pid	Process
2616	RUNDLL.EXE
2616	RUNDLL.EXE
872	PATRONUS KOXP 1823 3B.EXE
872	PATRONUS KOXP 1823 3B.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3504	2616	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PATRONUS KOXP 1823 3B.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4388	reg.exe
2396	reg.exe
1776	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
2616	RUNDLL.EXE
2616	RUNDLL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
872	PATRONUS KOXP 1823 3B.EXE
872	PATRONUS KOXP 1823 3B.EXE
872	PATRONUS KOXP 1823 3B.EXE
2616	RUNDLL.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4840	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	92
PID 2824 wrote to memory of 4840	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	92
PID 2824 wrote to memory of 4840	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	92
PID 2824 wrote to memory of 4624	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	94
PID 2824 wrote to memory of 4624	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	94
PID 2824 wrote to memory of 4624	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	94
PID 2824 wrote to memory of 872	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	97
PID 2824 wrote to memory of 872	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	97
PID 2824 wrote to memory of 872	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	97
PID 2824 wrote to memory of 332	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	98
PID 2824 wrote to memory of 332	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	98
PID 2824 wrote to memory of 332	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	98
PID 4840 wrote to memory of 2748	4840	cmd.exe	99
PID 4840 wrote to memory of 2748	4840	cmd.exe	99
PID 4840 wrote to memory of 2748	4840	cmd.exe	99
PID 2748 wrote to memory of 2396	2748	cmd.exe	102
PID 2748 wrote to memory of 2396	2748	cmd.exe	102
PID 2748 wrote to memory of 2396	2748	cmd.exe	102
PID 2824 wrote to memory of 2616	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	101
PID 2824 wrote to memory of 2616	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	101
PID 2824 wrote to memory of 2616	2824	8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe	101
PID 4624 wrote to memory of 2980	4624	cmd.exe	103
PID 4624 wrote to memory of 2980	4624	cmd.exe	103
PID 4624 wrote to memory of 2980	4624	cmd.exe	103
PID 2980 wrote to memory of 1776	2980	cmd.exe	104
PID 2980 wrote to memory of 1776	2980	cmd.exe	104
PID 2980 wrote to memory of 1776	2980	cmd.exe	104
PID 332 wrote to memory of 3536	332	cmd.exe	105
PID 332 wrote to memory of 3536	332	cmd.exe	105
PID 332 wrote to memory of 3536	332	cmd.exe	105
PID 3536 wrote to memory of 4388	3536	cmd.exe	106
PID 3536 wrote to memory of 4388	3536	cmd.exe	106
PID 3536 wrote to memory of 4388	3536	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8866dba5652fc6f8b46561fffff2f03b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1776
- C:\Users\Admin\AppData\Roaming\PATRONUS KOXP 1823 3B.EXE
  "C:\Users\Admin\AppData\Roaming\PATRONUS KOXP 1823 3B.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4388
- C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
  "C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 792
    3⤵
    - Program crash
    PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2616 -ip 2616
1⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
150B

MD5
1265b09eaea9e3c69fe1f6a4e8b00e6e

SHA1
44face1bde83d56e9d8906c6661a7fae05e330c6

SHA256
9f67284e85933ba4412c4ab49c0638af67b6ee4db37f7c8d91bff97823dc6068

SHA512
30574540682fb600fba844cf1e9b11205c3ac2eb64cfc661a07b8782938715ca4ccdd3ec5fcd2c0f18e34f2678c374adeca6f180ba792ce36826940b7188a57a

Download Submit
C:\Users\Admin\AppData\Roaming\nt.dll

Filesize
453KB

MD5
a469af68f3c7d5021cce64ac85d549a8

SHA1
2cfb029ba93276ed903e1f6f01be1c37958296b2

SHA256
dc286a0278e8e03dba5ebf97c7d05831fad59359bc2d3224247e17c2983def70

SHA512
beca8afd7e1280dd8404779ea98c2175bd929bf864d8316804674acd63eacc7a31967107331170334b4247fe01da87feec817902217ee9b35116eac27619393b

Download Submit
C:\Users\Admin\AppData\Roaming\patronus koxp 1823 3b.exe

Filesize
268KB

MD5
9cf2acf2bf4bca387711cb52a8539932

SHA1
671873138179f56029b35ff753dd5e5040ee3d22

SHA256
b31f0caf81da1330f59ca0c1a89995ff27d7efe39015de182e1871917ccf80e5

SHA512
3a190cc9c442c9df44fab9ad0303729313e411d257fb990804f52ba2c1c4b98b5a72e664e035fa03738861921bb2e368a6fc23614e5f30fa795ac05cee42e0b5

Download Submit
C:\Users\Admin\AppData\Roaming\rundll.exe

Filesize
628KB

MD5
c745dc232883ae8801470fa8c98b178f

SHA1
a8858315e9c3cdef679bf1f9e9026d7fb84e166e

SHA256
dd6f6214ead358615299321ef0a759f5775c5d531fd60c49fdf9ad4014356a2c

SHA512
5f750024b3949828ca037e8fda048b429a6aecc622923a300d1fc921d09e59f8de92c270b3bc0606f428a4342486477ee5989a6a38310a132164f35d8e66c06d

Download Submit
memory/872-40-0x0000000004B50000-0x0000000004BC8000-memory.dmp

Filesize
480KB

Download
memory/2616-36-0x0000000000970000-0x00000000009E8000-memory.dmp

Filesize
480KB

Download
memory/2616-41-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2616-42-0x0000000000970000-0x00000000009E8000-memory.dmp

Filesize
480KB

Download
memory/2824-0-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2824-37-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download