c9c653e5a5ede178435051d64e69002bebe854671f333c9d2c4611c8f779736e

Analysis

max time kernel
134s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 02:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a93f80a02b1bd6f076be54b617bf5dff_JaffaCakes118.exe
Size

134KB
MD5

a93f80a02b1bd6f076be54b617bf5dff
SHA1

8b1ffced60acaa4304b2fadf4b6f829a8bd004f8
SHA256

c9c653e5a5ede178435051d64e69002bebe854671f333c9d2c4611c8f779736e
SHA512

8b470bf5391dcae2b7d2a08048691736ccc3fe5722ff9231b45f56779a4396fbbf17ded005422f5e806ae5b306fbc2812c9bc245da753375e4d53360d23b1718
SSDEEP

3072:1wtec3oVQ6c0ryWTfINFdx6pJELyPH0t/V/1BsC8:1wteLm66eqLyst/V/0C8

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	a93f80a02b1bd6f076be54b617bf5dff_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	InfDefaultInstall.exe

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File created	C:\Progra~1\abcAVI\Language\SETBA96.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBA97.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBA99.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBABE.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\russian.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\haxor.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\haxor_ru.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\spanish.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBABF.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBAD1.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\SETBAD2.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\SETBAD2.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBABD.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\language.inf	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\haxor_ro.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\french.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\czech.ini	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBA99.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBA97.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBACF.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\chineset.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\chineses.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\hungar.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBA96.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBACF.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBA86.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBA98.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBAAA.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBAAC.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBAAA.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBAAB.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBAAC.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBAD0.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\romanian.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\polish.ini	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBA86.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBA98.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBAD0.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\german.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\english.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBABD.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\SETBAAB.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBAD1.tmp	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\haxor_en.ini	InfDefaultInstall.exe
File opened for modification	C:\Progra~1\abcAVI\Language\hungaria.ini	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBABE.tmp	InfDefaultInstall.exe
File created	C:\Progra~1\abcAVI\Language\SETBABF.tmp	InfDefaultInstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4636	3016	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a93f80a02b1bd6f076be54b617bf5dff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfDefaultInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	a93f80a02b1bd6f076be54b617bf5dff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3288	3016	a93f80a02b1bd6f076be54b617bf5dff_JaffaCakes118.exe	96
PID 3016 wrote to memory of 3288	3016	a93f80a02b1bd6f076be54b617bf5dff_JaffaCakes118.exe	96
PID 3016 wrote to memory of 3288	3016	a93f80a02b1bd6f076be54b617bf5dff_JaffaCakes118.exe	96
PID 3288 wrote to memory of 2252	3288	InfDefaultInstall.exe	97
PID 3288 wrote to memory of 2252	3288	InfDefaultInstall.exe	97
PID 3288 wrote to memory of 2252	3288	InfDefaultInstall.exe	97
PID 2252 wrote to memory of 3156	2252	runonce.exe	98
PID 2252 wrote to memory of 3156	2252	runonce.exe	98
PID 2252 wrote to memory of 3156	2252	runonce.exe	98

C:\Users\Admin\AppData\Local\Temp\a93f80a02b1bd6f076be54b617bf5dff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a93f80a02b1bd6f076be54b617bf5dff_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 424
  2⤵
  - Program crash
  PID:4636
- C:\Windows\SysWOW64\InfDefaultInstall.exe
  "C:\Windows\System32\InfDefaultInstall.exe" "C:\Users\Admin\AppData\Local\Temp\language.inf"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3016 -ip 3016
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chineses.ini

Filesize
23KB

MD5
fc524d751a72c7f1c9b61038b74f91bb

SHA1
e74c675bfae217cf58141902dacacc9ddf008dd0

SHA256
92ee057d7ce20cc3e8eaee25e46245b71ad03b99bfbee2b59e03db232f07220e

SHA512
88a55f438898f5cc2a19e05826070e96656cb3aef838e7c977add2f5d20dfd6d65ec4f796c8ac22c504973e94fd74c80113f4c7807abb957bfe21a03e2a5d4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\chineset.ini

Filesize
23KB

MD5
a871aefcf0e308fa8f0609560e82a9b2

SHA1
ef7cd97f0d7dec6c5ad9eb82aa082370ff667314

SHA256
5c0b17930c5fcbd2569fcea0fc161f617112672b81f5bf372f500558401e8e74

SHA512
03d69972ac646de0cac8a157b10d8c77547999b0ba5cd03a9472c01ad195f47cbf7f3528fef0b0ffa8f32c9eb319b2fee89e94ff5ea3c9f017c2d8812852ab64

Download Submit
C:\Users\Admin\AppData\Local\Temp\czech.ini

Filesize
32KB

MD5
be3db216c09693a9fe6a0d9493494a99

SHA1
c90ee07cd5ebaae72ecfbfa97327118a8c47677c

SHA256
fc1d316c4e53a3fb2fe27df10120f2ab86f7fb9f23e1b6cefc6ff840408e4baa

SHA512
e89cff65e8d5b306507a586fd15df706ea641c2a0e9248ec5066b2fb235e62788b88b5484b2329748a26c3eb70bd64b018ea1276895d941f0534355f3d4ed668

Download Submit
C:\Users\Admin\AppData\Local\Temp\english.ini

Filesize
32KB

MD5
9ff159899b3e75a88d23b56a4593ccbe

SHA1
770bb8a15944c0aa3db58f8633a5f595a8bdbed6

SHA256
3a53aafae51b182becb116df36b95ff323adaf07de216e5a0eed4a92440079da

SHA512
5b31926d1280b69167a41433d24c37ca4a63ecd76e3eaeeac621f54d3a1f0c60dcac7a2e9ba765b72449185f9718627ac6213663d5a97993434034f6fd0401c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\french.ini

Filesize
14KB

MD5
d0b2170c1758e4096e0e35e1b2950682

SHA1
16b1f9ab7d4bcc01bbb8061390c2e3c369c157b3

SHA256
a67a8fae367d3ab8197e1e3e0f50aca736aa9b629ea7162729173c06a44efa4d

SHA512
a54f15a29575b967c2ced1ba39efdf27f53b6ac9575c4c85da997c0c7438c9e3d65f6d32e252770ecd5d49cfef2cdc8c9bb97bba725f08ab36b44403c9fe323c

Download Submit
C:\Users\Admin\AppData\Local\Temp\german.ini

Filesize
23KB

MD5
b0fab25cd983fdccd31460546935267d

SHA1
9974ffdd3cf3070ba72b43e0479049178e8572c6

SHA256
d944f323855a5f0aa6987c82cf0a0602a8b50159a04136dcebbeaf3d2d182609

SHA512
9a3c12765334aa2dc5772174c2e73e5b411c97725a354815a24dd40eb948ae4daa17fa467ab2321742d09a56e878720b03cc07c4a779d137ab530f2cc7d001d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\haxor_en.ini

Filesize
27KB

MD5
8f8c7e74ae84be76705a9ac743cea652

SHA1
719ad0edc48385e4a1a9ecca5059676482ba09ac

SHA256
5caecfdcb4350d26668915066f06ff35e1e81af4c74b7571a374f40142efc25a

SHA512
733667cb334316a1830e95c9c50f89908182b525664fd15b2647664f19acf7c1e78f3b6806724501f8a950d2a9be5dfd4da319f89589aa12118842e98f682921

Download Submit
C:\Users\Admin\AppData\Local\Temp\haxor_ro.ini

Filesize
14KB

MD5
fcc20bdc9f66ec8c9e588cd17f8cb508

SHA1
3cb9c3f68e4304b7f0f47ea5278545c30a242bb1

SHA256
bf8af51676de9d41e24353d0d371af5ae159e9000543b672cf17677fd9410b53

SHA512
12044bd17e75da7d561184f700007d26ba3f1f25cf785b91fc489f11911a5931cae67f6a11a015703b1979608b07534faead634adea8c1ced0fc33c98455b3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\haxor_ru.ini

Filesize
19KB

MD5
16d4583745d88838492b6b4b7a40472f

SHA1
f182c82b5895b01c882ed70906bcc831f988a3c2

SHA256
8c381c2c0af62f5c59060cd6db1e470e581eca655f2d9e5f55f9a99b22a4d461

SHA512
3060f53091f4426858e9738dfad293230ebb02243783838cdf227bf89f5129e11ead4643b757341c583ad231ca514d00a4e2907e894054da7f0cee2183cd6426

Download Submit
C:\Users\Admin\AppData\Local\Temp\hungaria.ini

Filesize
14KB

MD5
18d2c6a72b115e906a8f42a7b043b10f

SHA1
3beb4d3f75481a00d8a080a0242e472a72973aeb

SHA256
d43a1edce1e0503eb0b35892a1531b3eedacd95e974ee1ced7e20c82aea9b430

SHA512
df9c7d0b75097873f534f2e982708d6374f6c488c44fb981d8783d2c5b2c376d20857a515c1b6ba057dc9ab9bed8a95a06d27cdc5f3117fa1e60055ed0aec7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\language.inf

Filesize
1KB

MD5
38c726a85f39cb36388c0f5cfabae41a

SHA1
b9e7922d9941493510c1ce285e720d79536a71d3

SHA256
8c590442d06cb852111bf3221e27baa1c2dddc5c3fd2e577d1ade6aa29a91440

SHA512
f9c892fa2e5531c04a49a3d6be434c6f8200f733c519aff1dc37f3bec07f169b658da5243410b11bc33f5f1655d0fdbbef131e93913b18f753888371a6e682af

Download Submit
C:\Users\Admin\AppData\Local\Temp\polish.ini

Filesize
32KB

MD5
1ed0cc5a88663b0a9b3975ff06429236

SHA1
3b19c22d1516bd2aeb0bfc4b72d5712b3440bb5f

SHA256
949dd6a1c13363f20b9af611f580074c7f517d771d8998b7849dd57b07e7ab3b

SHA512
3d99f233603493df0c02c8263f52f60a6c334898d68704d17cb9e92d9d9144505ce9c8367bef1bf1c5a3d2ed918ed3f07a3f9f298079ad25b0fec28ae9e28f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\romanian.ini

Filesize
15KB

MD5
9a8ed6640dca55074510e346af69d2dd

SHA1
a9e876e0c9ddee5ea5cf8ebf473f60d989635cd0

SHA256
768488c2539daa549246e0e491cb8ed130ad414a654330281acd8e82f8660868

SHA512
0052546e486669bce6be5c31f7b00f1556e7ca0e1122b43d884b507470691bd3f93e2b3f6f18cd6f9f3156342dfffd4aee7e94855c03082e5547bb7b0c233707

Download Submit
C:\Users\Admin\AppData\Local\Temp\russian.ini

Filesize
17KB

MD5
f11ffdcd871ce9963089e56bc6382a78

SHA1
5fe9d3098095ac799b8df81c711bd346a97b78d0

SHA256
9a5c7013eb3d7a5ac793ec633ea2eb546049fedabad9bd3d3928f9ad248c6684

SHA512
5b8c253ce7c386c1b43fec34767c8addc78eefb3ae1e9504a1a7a9cfdcd65f537a622a496b341b191c41249d9b259ede10dda8d8fc111bff73d05c3c36b69d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanish.ini

Filesize
32KB

MD5
99267cbbd442b9067fb3544a96704654

SHA1
45fc7fb6a7ed0d9b04fbe9b1189d206a5c349206

SHA256
ffaabe7b7cb5a2af0cac9af91fb6358ff818f117e7ab0e7e7742292d5b9f25da

SHA512
62cf67ab871bd16319f2ba4364d1fe3bd9fa309955d631b618942758db173dea0187d9c17d5103850001133ea0a6a309ceca79a2f51a4300fc875ea178bf3028

Download Submit
memory/3016-16-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads