5383cbe6a2c2e664aa30c5aff3d576af7e765fb7ebb0cdb0d5de7d599ea0da94

Analysis

max time kernel
142s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe
Size

34KB
MD5

9fd10745e0e2de606ca664553149ce2e
SHA1

5cd5f804fb25528f78f0afd7e131fc7db9aae468
SHA256

5383cbe6a2c2e664aa30c5aff3d576af7e765fb7ebb0cdb0d5de7d599ea0da94
SHA512

38cad49727d20d751932a34eef59bd5bf0f6bc77f0b16737c849f83c51fd2aee5c87abd303bbf8746ac2c1fc342d647ab1c292326797be1d1a14c74607e74bac
SSDEEP

768:YPVxpVcS9gV4pa5MUtsw7GPs0m2jnaWfunmT:uxpVcS62cvmw7GPcsaJ8

Score

7^/10

discovery persistence privilege_escalation upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	lockie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	lock.exe

Executes dropped EXE 2 IoCs

pid	Process
4876	lockie.exe
2172	lock.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4064-0-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0004000000022f92-15.dat	upx
behavioral2/memory/2172-17-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4064-19-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/2172-26-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2172-27-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2172-30-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LockIE = "C:\\Windows\\SysWOW64\\lockie.exe /r"	lockie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LockDns = "C:\\Windows\\SysWOW64\\lock.exe /r"	lock.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lockie.exe	9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lock.exe	9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\NavCheck	lock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lockie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
884	ipconfig.exe
1996	ipconfig.exe
1720	ipconfig.exe
676	ipconfig.exe
2364	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	lock.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	lock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	lock.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	lockie.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\IESettingSync	lock.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.930dnf.net"	lockie.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4876	lockie.exe
4876	lockie.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4064	9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe
4876	lockie.exe
2172	lock.exe
2172	lock.exe
2172	lock.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4876	4064	9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe	84
PID 4064 wrote to memory of 4876	4064	9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe	84
PID 4064 wrote to memory of 4876	4064	9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe	84
PID 4876 wrote to memory of 884	4876	lockie.exe	87
PID 4876 wrote to memory of 884	4876	lockie.exe	87
PID 4876 wrote to memory of 884	4876	lockie.exe	87
PID 4876 wrote to memory of 4612	4876	lockie.exe	90
PID 4876 wrote to memory of 4612	4876	lockie.exe	90
PID 4876 wrote to memory of 4612	4876	lockie.exe	90
PID 4612 wrote to memory of 4864	4612	cmd.exe	92
PID 4612 wrote to memory of 4864	4612	cmd.exe	92
PID 4612 wrote to memory of 4864	4612	cmd.exe	92
PID 4612 wrote to memory of 2792	4612	cmd.exe	94
PID 4612 wrote to memory of 2792	4612	cmd.exe	94
PID 4612 wrote to memory of 2792	4612	cmd.exe	94
PID 4612 wrote to memory of 788	4612	cmd.exe	95
PID 4612 wrote to memory of 788	4612	cmd.exe	95
PID 4612 wrote to memory of 788	4612	cmd.exe	95
PID 4064 wrote to memory of 2172	4064	9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe	96
PID 4064 wrote to memory of 2172	4064	9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe	96
PID 4064 wrote to memory of 2172	4064	9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe	96
PID 2172 wrote to memory of 1996	2172	lock.exe	98
PID 2172 wrote to memory of 1996	2172	lock.exe	98
PID 2172 wrote to memory of 1996	2172	lock.exe	98
PID 4612 wrote to memory of 4476	4612	cmd.exe	100
PID 4612 wrote to memory of 4476	4612	cmd.exe	100
PID 4612 wrote to memory of 4476	4612	cmd.exe	100
PID 2172 wrote to memory of 3808	2172	lock.exe	101
PID 2172 wrote to memory of 3808	2172	lock.exe	101
PID 2172 wrote to memory of 3808	2172	lock.exe	101
PID 3808 wrote to memory of 1512	3808	cmd.exe	103
PID 3808 wrote to memory of 1512	3808	cmd.exe	103
PID 3808 wrote to memory of 1512	3808	cmd.exe	103
PID 4612 wrote to memory of 1720	4612	cmd.exe	104
PID 4612 wrote to memory of 1720	4612	cmd.exe	104
PID 4612 wrote to memory of 1720	4612	cmd.exe	104
PID 4876 wrote to memory of 676	4876	lockie.exe	116
PID 4876 wrote to memory of 676	4876	lockie.exe	116
PID 4876 wrote to memory of 676	4876	lockie.exe	116
PID 4876 wrote to memory of 2364	4876	lockie.exe	124
PID 4876 wrote to memory of 2364	4876	lockie.exe	124
PID 4876 wrote to memory of 2364	4876	lockie.exe	124

C:\Users\Admin\AppData\Local\Temp\9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9fd10745e0e2de606ca664553149ce2e_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\lockie.exe
  C:\Windows\system32\lockie.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig.exe /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AutoDns.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip set dns name="????" source=static addr=61.38.252.108 register=PRIMARY
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4864
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip add dns name="????" addr=219.87.170.14 index=2
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2792
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip set dns name="??????" source=static addr=61.38.252.108 register=PRIMARY
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:788
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip add dns name="??????" addr=219.87.170.14 index=2
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4476
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /flushdns
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1720
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig.exe /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:676
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig.exe /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2364
- C:\Windows\SysWOW64\lock.exe
  C:\Windows\system32\lock.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig.exe /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AutoDns.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip set dns name="????" source=static addr=61.38.252.108 register=PRIMARY
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoDns.cmd

Filesize
346B

MD5
42d9fbc7d0ed316cebb137610d6bada9

SHA1
0356d4ca0c086e503681400f0bfbed8b4df99ba2

SHA256
56269ccbe1626753ce19500448778901cce9fe46b5414c66844cd94da474d02b

SHA512
e3eb05fafc66459972871048fb469539aea149960e2a5f7ff6f5434d36a381d0cb90e9d2ee30bb37fb498d36df93282f97fc5b140224e804dd8928febfb66128

Download Submit
C:\Windows\SysWOW64\lock.exe

Filesize
12KB

MD5
3e134484817b081eef906eabeaf4d4e6

SHA1
87a21cfe9a15a7b6678371341bd9d1fe8f36612d

SHA256
d5139e0fc1d889755a100e7ab69851742a65e0fe76bafca80d56eed97e0250a8

SHA512
b6cffb797a801697a6161f7934cbaf108d98f0ca935e34b9cd002cd6a566649da295ab56ff703a2346da1d33816d467c767435e542f7caf330796521f54c6b4d

Download Submit
C:\Windows\SysWOW64\lockie.exe

Filesize
56KB

MD5
4292bd9215a26d6e087b91dbb1ae33f2

SHA1
a1094e480b7062bb056abb5ee741bd2cea5706c1

SHA256
479b340b0a020b8a438135a814ed20388e052cfdb50b615ab634015a040e0b50

SHA512
c4e9c1e5e06634138726b320e4c6541ec35725be8db56209854dc15e597a2d0e0e7de2007488cb2afc7e0d342d62559355a3b26d325f7a9307e8ca836c2cb5e5

Download Submit
memory/2172-17-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2172-26-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2172-27-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2172-30-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4064-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4064-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download