1f4940dee6b45d090229d4c93c5ea7c3e772a3ee5fa4a8dae22df2d09fe7930a

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe
Size

308KB
MD5

a0bb5d5e5900f53cf59b85505817d205
SHA1

2a1bf62d166981db11c9d47f9f1cfc27a3d26af4
SHA256

1f4940dee6b45d090229d4c93c5ea7c3e772a3ee5fa4a8dae22df2d09fe7930a
SHA512

91b8f115ed3195c6256e5db22b3e69c3e7d26016a8069e1f89da3339664e93f6e5d64f48de977fac3d785cd1a00663b6f8316a8cb5ef17df4967b4566deaf77b
SSDEEP

6144:9RkDeqSoCmANolT1eJvLhz6PmyTq+a2Xaeeik8/WSfHTscC17yGEu7:5Nmso16jhz6PmIb9XDeihfAcC9yGEu7

Score

7^/10

credential_access discovery spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Services.exe

Executes dropped EXE 3 IoCs

pid	Process
1548	Services.exe
4296	auto.power.on.&.shutdown.2.xx-patch.exe
3620	Services.exe

Loads dropped DLL 1 IoCs

pid	Process
4296	auto.power.on.&.shutdown.2.xx-patch.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234c1-15.dat	upx
behavioral2/memory/4296-20-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3620-22-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3620-25-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3620-26-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3620-29-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3620-34-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4296-36-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 3620	1548	Services.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auto.power.on.&.shutdown.2.xx-patch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Services.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3112	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4584	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1548	Services.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1548	4884	a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe	84
PID 4884 wrote to memory of 1548	4884	a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe	84
PID 4884 wrote to memory of 1548	4884	a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe	84
PID 4884 wrote to memory of 4296	4884	a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe	85
PID 4884 wrote to memory of 4296	4884	a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe	85
PID 4884 wrote to memory of 4296	4884	a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe	85
PID 1548 wrote to memory of 3620	1548	Services.exe	86
PID 1548 wrote to memory of 3620	1548	Services.exe	86
PID 1548 wrote to memory of 3620	1548	Services.exe	86
PID 1548 wrote to memory of 3620	1548	Services.exe	86
PID 1548 wrote to memory of 3620	1548	Services.exe	86
PID 1548 wrote to memory of 3620	1548	Services.exe	86
PID 1548 wrote to memory of 3620	1548	Services.exe	86
PID 1548 wrote to memory of 3620	1548	Services.exe	86
PID 3620 wrote to memory of 872	3620	Services.exe	88
PID 3620 wrote to memory of 872	3620	Services.exe	88
PID 3620 wrote to memory of 872	3620	Services.exe	88
PID 872 wrote to memory of 3112	872	cmd.exe	91
PID 872 wrote to memory of 3112	872	cmd.exe	91
PID 872 wrote to memory of 3112	872	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0bb5d5e5900f53cf59b85505817d205_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\Services.exe
  "C:\Users\Admin\AppData\Local\Temp\Services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\Services.exe
    C:\Users\Admin\AppData\Local\Temp\Services.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Services.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3112
- C:\Users\Admin\AppData\Local\Temp\auto.power.on.&.shutdown.2.xx-patch.exe
  "C:\Users\Admin\AppData\Local\Temp\auto.power.on.&.shutdown.2.xx-patch.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
232KB

MD5
89d772f3cb98bb5d708ce01ae8438739

SHA1
c89ef639cb09bee738f171592c5a87c53134a9a2

SHA256
ce14a27336b8bc3ac4ff2b55e90b45a559cb586b7b91456ec4a2154738355d78

SHA512
239bba70236ebd010aaf2824e17202b5455f2cf76ff0206eb9468fe250d6334e8e45e8336f069f8b5a00a28a1abef34834145cca954224b50f955e6378d59f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\auto.power.on.&.shutdown.2.xx-patch.exe

Filesize
126KB

MD5
ce06140880371574e24fcd2af037a315

SHA1
e310ad6a5b9ccb7f3a131b729f95b5f104951056

SHA256
9f4e4373045a9694ee50b7736585b17ac199a150140ef2dfc1f9ae9a2c8e6fe6

SHA512
c5f44975b193cba8d9c5edeb3516ce66c47dc5966f1bee760665970eae6b987844583fbac50d160aa91472f58982fcdbf2c6532a415ab6d228d10f3de73e0736

Download Submit
C:\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
9KB

MD5
780d14604d49e3c634200c523def8351

SHA1
e208ef6f421d2260070a9222f1f918f1de0a8eeb

SHA256
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

SHA512
a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

Download Submit
memory/3620-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3620-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3620-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3620-29-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3620-34-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4296-20-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4296-36-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download