40f7c621c260aec5949efa43db65d89f1c90ba2d40e3622c4c6a48a3c48bb7a1

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 09:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe
Size

484KB
MD5

a2021e449699edd8f16c117db56b8f0b
SHA1

fd33ddd0d6ba9afd219d33dad170f8f855a17ad8
SHA256

40f7c621c260aec5949efa43db65d89f1c90ba2d40e3622c4c6a48a3c48bb7a1
SHA512

6ef8e0528129fd3a1468f902427ce4c6fb2acf660c84310ce434090a5b4e4cb372fca5718842b63060b7e599fd8b26e900e2ed2dd4350c3aadc6314b0db4a2fc
SSDEEP

12288:rebytrsSy4i2KWXxJzxf5/XXhUxQVTG1h3Q3q0HwTeA:rDfC2KkzlhXDy1h4q0U

Score

7^/10

aspackv2 discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023418-8.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Hunder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Hunder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Hunder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Hunder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Hunder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Hunder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Hunder.exe

Executes dropped EXE 8 IoCs

pid	Process
3768	Hunder.exe
1396	Hunder.exe
1924	Hunder.exe
4680	Hunder.exe
2320	Hunder.exe
3396	Hunder.exe
4508	Hunder.exe
4836	Hunder.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ThunderService = "C:\\Program Files\\THunderService\\Hunder.exe"	a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files\THunderService\ipc	Hunder.exe
File created	C:\Program Files\THunderService\ipc	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exe_b	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exenet	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.ldb	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exenet	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.ldb	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exenet	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.ldb	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exenet	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.ldb	Hunder.exe
File created	C:\Program Files\THunderService\ipc	Hunder.exe
File created	C:\Program Files\THunderService\Hunder.exenet	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.ldb	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exe_b	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exenet	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exe_b	Hunder.exe
File created	C:\Program Files\THunderService\a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.jpg	a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe
File created	C:\Program Files\THunderService\Hunder.exe	a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exe_b	Hunder.exe
File created	C:\Program Files\THunderService\ipc	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.ldb	Hunder.exe
File created	C:\Program Files\THunderService\Hunder0.txt	Hunder.exe
File created	C:\Program Files\THunderService\Hunder.exe_b	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.ldb	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exe_b	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exenet	Hunder.exe
File created	C:\Program Files\THunderService\ipc	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exenet	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exe_b	Hunder.exe
File created	C:\Program Files\THunderService\Hunder.chm	a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe
File created	C:\Program Files\THunderService\ipc	Hunder.exe
File created	C:\Program Files\THunderService\ipc	Hunder.exe
File opened for modification	C:\Program Files\THunderService\Hunder.exe_b	Hunder.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\win32.btl	a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hunder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hunder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hunder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hunder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hunder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hunder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hunder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hunder.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 3768	4152	a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe	89
PID 4152 wrote to memory of 3768	4152	a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe	89
PID 4152 wrote to memory of 3768	4152	a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe	89
PID 3768 wrote to memory of 1396	3768	Hunder.exe	104
PID 3768 wrote to memory of 1396	3768	Hunder.exe	104
PID 3768 wrote to memory of 1396	3768	Hunder.exe	104
PID 1396 wrote to memory of 1924	1396	Hunder.exe	105
PID 1396 wrote to memory of 1924	1396	Hunder.exe	105
PID 1396 wrote to memory of 1924	1396	Hunder.exe	105
PID 1924 wrote to memory of 4680	1924	Hunder.exe	107
PID 1924 wrote to memory of 4680	1924	Hunder.exe	107
PID 1924 wrote to memory of 4680	1924	Hunder.exe	107
PID 4680 wrote to memory of 2320	4680	Hunder.exe	108
PID 4680 wrote to memory of 2320	4680	Hunder.exe	108
PID 4680 wrote to memory of 2320	4680	Hunder.exe	108
PID 2320 wrote to memory of 3396	2320	Hunder.exe	113
PID 2320 wrote to memory of 3396	2320	Hunder.exe	113
PID 2320 wrote to memory of 3396	2320	Hunder.exe	113
PID 3396 wrote to memory of 4508	3396	Hunder.exe	114
PID 3396 wrote to memory of 4508	3396	Hunder.exe	114
PID 3396 wrote to memory of 4508	3396	Hunder.exe	114
PID 4508 wrote to memory of 4836	4508	Hunder.exe	121
PID 4508 wrote to memory of 4836	4508	Hunder.exe	121
PID 4508 wrote to memory of 4836	4508	Hunder.exe	121

C:\Users\Admin\AppData\Local\Temp\a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2021e449699edd8f16c117db56b8f0b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Program Files\THunderService\Hunder.exe
  "C:\Program Files\THunderService\Hunder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Program Files\THunderService\Hunder.exe
    "C:\Program Files\THunderService\Hunder.exe" 12345
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Program Files\THunderService\Hunder.exe
      "C:\Program Files\THunderService\Hunder.exe" 12345
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Program Files\THunderService\Hunder.exe
        
        "C:\Program Files\THunderService\Hunder.exe" 12345
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Program Files\THunderService\Hunder.exe
        
        "C:\Program Files\THunderService\Hunder.exe" 12345
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Program Files\THunderService\Hunder.exe
        
        "C:\Program Files\THunderService\Hunder.exe" 12345
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Program Files\THunderService\Hunder.exe
        
        "C:\Program Files\THunderService\Hunder.exe" 12345
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Program Files\THunderService\Hunder.exe
        
        "C:\Program Files\THunderService\Hunder.exe" 12345
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\THunderService\Hunder.chm

Filesize
43B

MD5
bc4d01a0daa30d62d9766d6dcb45733d

SHA1
ea79df8e4e478916e61ffcc9d19d924b0008b105

SHA256
30bdc04ba4610bec9c97f6adca99a73762d26317154c9c78f95abef8e77a238b

SHA512
987442ccb0d0df9ae58015e95f0d4bea5727af5eb711a863499930189724dd66839a45b8374956be4659a1095e9ca86c472361207bb743065ca1b4ce8fb157a6

Download Submit
C:\Program Files\THunderService\Hunder.exe

Filesize
4.2MB

MD5
d983033ce13bd0bcea800df13221cfde

SHA1
fca3886a2a892d2d39de0b02f72680f395a90b23

SHA256
f86b1981500992389e89bee4889a025c35b104a92c81fa49625351c1125a51f3

SHA512
cfc67cba08afff0642aa80a3566af84d06197cac71ff4f9ff2e93bff6fb60cc97cf1c5983d0f5fa3f91951a29422380c319efaab545932d5dcabee110ade4ff7

Download Submit
C:\Program Files\THunderService\Hunder.exe_b

Filesize
88KB

MD5
0f5f4237172d8a92475bf8da28fe4682

SHA1
bb3b86e749d296ec3d4fc3928ffe201ef83e25e1

SHA256
62f273ea42ee708077c914fa35886a816a423a29d8a860adb8a434f8ffbc0e1a

SHA512
6af8b69b75f5d86746c769b507f375b4eda5e534958497a9600af00c1bc347771ec27cf3b3ba5ae8113332269d5e5a676dfbeaf1301f43e4d8ce762b767379e7

Download Submit
C:\Program Files\THunderService\Hunder.exe_b

Filesize
88KB

MD5
5feaa2fe3dd0b6ccaca9e670b117757a

SHA1
4f4fa6a4f270ca5bf4f206e1908ac23207c225bd

SHA256
e9a6d4f0d16fcca455e821ef658ee67a888d22578e78b6bdfe4c8ba590da913f

SHA512
03881ba2559d23fd311daeabd099702aa0b73546fb858d54e906c2e467c84913dc83663cfa5738884cbd4e1df28bd86d2764684a83de2d7784b3e119fa48511d

Download Submit
C:\Program Files\THunderService\Hunder.exe_b

Filesize
88KB

MD5
480efd4f84e880068ea96bd13fc6ea15

SHA1
e414c61ccb210db42f745b629f9de7040899bbaa

SHA256
03bb3ff5ca614487f976ba463dc587cf0eb9c41d524e7408c44906dd6e153356

SHA512
1c2a2b2790355bdfb3bf9255271e39e505c52d065e1a2cf26ed4d40ead936197f663480ad5671486df0c39e0475cab26c73df79b0e311d7f6080dcf8da0300fd

Download Submit
C:\Program Files\THunderService\Hunder.exe_b

Filesize
88KB

MD5
b68f113ff7d2e78bf9d8f7e806444614

SHA1
55c29070f0d02ecf1e5f97b01bf2dc21aeca9dc7

SHA256
e4e31eb3e4f794d38de59da12c69d8f743780ebe778fe040e8c641763818e44e

SHA512
0a0c65445aecf301adac70ce8015f08ff8c6f6a693ecebc4597ac0187635561d1f81176316d7fcf56107eec2c6809eefac61aef9c8e2ae4693f8a458afbab6ea

Download Submit
C:\Program Files\THunderService\Hunder.exe_b

Filesize
88KB

MD5
6ec2697ad864ed69a591f66922faa903

SHA1
1acc01b35cb3192fc15b1c5097e7a1477240806a

SHA256
b1f6898797fafd7fc52430ca5be0802edba443905dfaceb5852910cc8e607854

SHA512
e3801e552340fe91228cee6a997303923d7bad4d31ffe1499bd25c1558f6c5f1db0135a617f732596a816420bba40c536931f09fbf5476cc00b75aa106a92a7f

Download Submit
C:\Program Files\THunderService\Hunder.exe_b

Filesize
88KB

MD5
dea86ffc74e06a5f44a98ce96544b25b

SHA1
772af83641d9dc2ffd2c0ed1026b9a38de0e1db4

SHA256
5e53fa24b627298820a4cfb78b59fca2357e8dc75dcca816e2bbe8b185af7afb

SHA512
ab6262c3d8ccf2319236f824efdb4f5bb516278cc47847bf6710413521c58a3881a241f0b884d51a75db96a1f6c89daead4d59b91f93eacb3eb3b19c62a71d3f

Download Submit
C:\Program Files\THunderService\Hunder.exenet

Filesize
88KB

MD5
ef071e7c40252951f51e96e0f6e4a2fc

SHA1
0252a423c6fc6774809260af0542fb63903268d7

SHA256
3d3fab710dfd0fb083b2e9a46e76c5c05a0e9b77df70eda9e2a9cda6e0d05254

SHA512
e72099c76b7d88988c9313775c89ab8f1c29f57f54e3320236e01b7d4e302cb04ceedf6a0310c2f1b6053a84ba60fa04f86c5d7a2ce75556f68ae01f42f740e4

Download Submit
C:\Program Files\THunderService\Hunder.ldb

Filesize
64B

MD5
7da444331562d0dffcabc68bc18d443c

SHA1
d67cff341c1a82d0270ef2e0f3f06d64f1c398ff

SHA256
6d5e144c7f12fc5f7bb9bd6a9344ee3409a23324617eba828ac6a4e7f899b385

SHA512
98842fee7303b4b905db54111e450fc9a38fc63c61530001f6f1b79e926dd5e207b5b4e4af5ef440b2535b067f9186935c4b1d3105d2c6bea141d7039a3c5369

Download Submit
C:\Program Files\THunderService\Hunder0.txt

Filesize
10B

MD5
054db04988b3981642e47f23b7195a58

SHA1
087fcd27bee6746f80c44b8dff42ec51ece25fae

SHA256
884a6676212ee73fb19a8b1c88a4c4271daebefa810f4216f721d6f87def0d0c

SHA512
b998ba5448a39ad88825c2a4a6eba2677ccea03120c85d76280c93e2fa51b04340ebce4ddbfb86d171d1d051f7e0803bb923c7158d3b8a2f624c9cd70c08883d

Download Submit
C:\Program Files\THunderService\ipc

Filesize
133B

MD5
314417833b0d327beccab7cb68cd4f7c

SHA1
f6bed9edc9ed8e9ff928194670f5ec3eda2763e3

SHA256
37ed866abc19465aa2172d651bbd3ffe2836add54ba3065ff7189f1a75410d9f

SHA512
c8645c0528d9b7309b2d6870f8250384654db64fc605667aabdc26d8429a1d03d3306a3082b22afff395d2e1669317dee96f9c6dd839ca440283cb2fe1a223ff

Download Submit
memory/1396-47-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1396-63-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1924-80-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1924-64-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2320-114-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2320-98-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3396-131-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3396-115-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3768-31-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3768-25-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3768-24-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3768-45-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3768-12-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4152-0-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4152-16-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/4508-132-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/4508-148-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/4680-97-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/4680-81-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/4836-149-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads