56302b13ba25b27b2cc4e7f51ee00db478f814898a19355e1b79976e1387f322

Analysis

max time kernel
141s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac95186825b222457c085d32ca4cb4a0_JaffaCakes118.exe
Size

2.6MB
MD5

ac95186825b222457c085d32ca4cb4a0
SHA1

9f2ea2094d5c42102db88e78ec7a6521684e99ff
SHA256

56302b13ba25b27b2cc4e7f51ee00db478f814898a19355e1b79976e1387f322
SHA512

2e6852d766f3ca0541d79f237a6846ebdaa1b6d04674031dadc76746ddc66bd57e378faf047bbb95644e05f4b53512d85f89661181b72e8fb4fbbcf651545095
SSDEEP

49152:PaWDnkvA3cNuZtt1p7oeYlrEKgI8OkU/WXnyhJ1KXZ3pN+xM9FjDn4y+Cyz0:bXIujZLYOKw/3aJEpZ8xAZcCyz0

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ElbyCDIO.sys	sys.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ElbyCDIO.sys	sys.exe
File created	C:\Windows\SysWOW64\drivers\ElbyDelay.sys	sys.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ElbyDelay.sys	sys.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	ac95186825b222457c085d32ca4cb4a0_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
1736	sclone.exe
1168	sys.exe
384	CloneDVD2.exe
1264	RgDrvls.exe

Loads dropped DLL 3 IoCs

pid	Process
384	CloneDVD2.exe
384	CloneDVD2.exe
384	CloneDVD2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002346d-120.dat	upx
behavioral2/memory/384-129-0x0000000000400000-0x0000000000A8E000-memory.dmp	upx
behavioral2/memory/384-141-0x0000000000400000-0x0000000000A8E000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ElbyCDIO.dll	sys.exe
File opened for modification	C:\Windows\SysWOW64\ElbyCDIO.dll	sys.exe
File opened for modification	C:\Windows\SysWOW64\drivers	sys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RgDrvls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac95186825b222457c085d32ca4cb4a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sclone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CloneDVD2.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 1736	3676	ac95186825b222457c085d32ca4cb4a0_JaffaCakes118.exe	87
PID 3676 wrote to memory of 1736	3676	ac95186825b222457c085d32ca4cb4a0_JaffaCakes118.exe	87
PID 3676 wrote to memory of 1736	3676	ac95186825b222457c085d32ca4cb4a0_JaffaCakes118.exe	87
PID 1736 wrote to memory of 4556	1736	sclone.exe	88
PID 1736 wrote to memory of 4556	1736	sclone.exe	88
PID 1736 wrote to memory of 4556	1736	sclone.exe	88
PID 4556 wrote to memory of 4588	4556	cmd.exe	90
PID 4556 wrote to memory of 4588	4556	cmd.exe	90
PID 4556 wrote to memory of 4588	4556	cmd.exe	90
PID 4556 wrote to memory of 1168	4556	cmd.exe	91
PID 4556 wrote to memory of 1168	4556	cmd.exe	91
PID 4556 wrote to memory of 1168	4556	cmd.exe	91
PID 4556 wrote to memory of 384	4556	cmd.exe	92
PID 4556 wrote to memory of 384	4556	cmd.exe	92
PID 4556 wrote to memory of 384	4556	cmd.exe	92
PID 384 wrote to memory of 1264	384	CloneDVD2.exe	93
PID 384 wrote to memory of 1264	384	CloneDVD2.exe	93
PID 384 wrote to memory of 1264	384	CloneDVD2.exe	93

C:\Users\Admin\AppData\Local\Temp\ac95186825b222457c085d32ca4cb4a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac95186825b222457c085d32ca4cb4a0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\sclone.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sclone.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt8438.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\reg.exe
      reg import 1.reg
      4⤵
      System Location Discovery: System Language Discovery
      PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\sys.exe
      sys.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\CloneDVD2.exe
      clonedvd2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RgDrvls.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\RgDrvls.exe "C:\Users\Admin\AppData\Local\Temp\CDV8ACB.tmp"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CDV8ACB.tmp

Filesize
115B

MD5
74f39b08a556b00acdcc1a484f8982f5

SHA1
b84a5e2735d2be7f19f28e7fd520a8cba617493b

SHA256
05c935b42ec10fa2a23a93261c42807c37ef97940e18f544f5180d6084932331

SHA512
668605dfbe0ddef1890d528eb962d04cc3ae49173797f6b18f4fb8e5ca85e0a1ecab621518292a047ed6d9c9dba382473c66c3b661625150d991456733be8e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.reg

Filesize
1KB

MD5
34c15aebb6e18befdd8f39ecb4a397b6

SHA1
a98ae41614911d1e8a27722679671a4976a087b4

SHA256
1b23e2aaccadb12bffbc804cc79e50f126684fbd0bc1cbc2ec0b2ebc34d0023a

SHA512
ff3fbff0e17fa7537e75e780cd4b152282fd0bd852f17d3334434cd07e0c1eb8100ab5e005b4de2cb109a74dc25b0397707de56904bb48f831bcdc434b59878b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CloneDVD2.exe

Filesize
1.8MB

MD5
9943039167e5d0dea6974ba3c2a68957

SHA1
ded956a02289c5128b5334e6894ea4caaf746c52

SHA256
09668d06420b60e6494682eafa3281f9e99dd95ffff39570539177fd488a61b8

SHA512
3569e8dfe8a2539a024f1de7a9b131bcb2a887ab309bbc54f6045e5715edafbf3304261a317ffc1b73d78ab2e9eb21ef6d1651a70ec895142d950bad94e3d4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CloneDVD2.ini

Filesize
331B

MD5
7dbe5b386b7e913052a66f040d4fd7d6

SHA1
b3084b34c8ba29bac63c26457bf398b70a0d0c93

SHA256
cac4e72f2de7ecf6d3c4e679009293e7c79391bceaedca522f5b76aa32f492b2

SHA512
addc893bb9b64df64514c3d945618e2bcf9e46b8b212b0bb2c6b694b984561bb29090a4cf9da3713b4edc93870aa12c65f95b47b1fbffe46995a6eaf962eebc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RgDrvls.exe

Filesize
122KB

MD5
d5efc15292ffa32e9d270e584c757e15

SHA1
5f2863ab932ccbae26d03c5191f0a87a0057f089

SHA256
bcce814419d66464235798a54d5e0969a5100f185ebf09f638b8cafaba6b16d4

SHA512
4bbd7cc93d9c0c22ee9ea2f75af8751baa48d94fb8ff23fd8dc0743fdcf2a589a731ae11cf1b3d5fec08e26a5f7798553dc38a73b4fa15e5a7c0420b79c27c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SClone.exe

Filesize
357KB

MD5
338597a988b998216eb8f5f873614847

SHA1
02e015dd56055740a4f0e2d450900893e97b9344

SHA256
07616065988ad9cf6a77aaa5caf9ff7072aeaf5daabb835b28199520e1c74f90

SHA512
4a491b456ebaa57bf91311985032b4f5425addd9f0da15cff1abff4bb5b49e34c6eec90782f15c568893923296738bf6e42121252970759f66d77ba69759ecce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WriteDVD.dll

Filesize
80KB

MD5
6b760f1008de937e0c99167149335184

SHA1
28c4240d3725512420e739f7c2b416cec93f1951

SHA256
f8d9759d6f633ef16ca96fc480b5080fc1f8be5203003a87c816725dc159a4d8

SHA512
d3594e895451a3ab3e7e38763fc0cf329cdcc611978dd839541b77e6a046482a9dac27dd680d695c3410efb5f5a61553d87a0c6dc500deb80aebb62ba8f243e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sys.exe

Filesize
91KB

MD5
fe07ae509b12dae629d473f1e259e65c

SHA1
8ea2433f0ab84f357a71dfd30e6624116746b0bc

SHA256
cb7c5e8ac5aab640e432e90898de9c1c69215730c94bbec2ad4d6424c7d8fb55

SHA512
d3dab4bf831d41342a259b6de5d41f20b345c11b972d580fb3a6c2653d72d4e66434cf5d466c0673f3543d97c38d1ec0f7124c5ed2127c35fab61e89d2a322bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt8438.bat

Filesize
216B

MD5
bfda311b0b0407d46eb86df615e6c513

SHA1
65a73ea28fc65bc55acb6f808c36b8ff70650604

SHA256
164b3bace690c6acc790a51db7a8cc2bfb5925305ede7e2790f6cfaa9a32bae5

SHA512
9683ef88d5ddbacef45af1b91896eef75258f1bf8d8069f7ec5ac0c7ea45468259f6a700c4466cd7065e096cb86b504694cdb374d1fc45204e46088f95aeeb4b

Download Submit
C:\Windows\SysWOW64\ElbyCDIO.dll

Filesize
80KB

MD5
6307d829ec9bd1019a9e8aab80102ebb

SHA1
1f36b9260f4263b9ac0575ceb7965534324ee7c6

SHA256
bac5f93ec3839858fed25bb4d08b3d834bdec501cfeea1e1cc4fa0712f970629

SHA512
6bac1477a0d753131f6283c8d63a37b70f33902f760bfc7152467365200c197ae65d656110c4a670e19edcff9098453d40987cdfbdb872347647c17b2d3d70cc

Download Submit
memory/384-127-0x0000000000B10000-0x0000000000B26000-memory.dmp

Filesize
88KB

Download
memory/384-141-0x0000000000400000-0x0000000000A8E000-memory.dmp

Filesize
6.6MB

Download
memory/384-129-0x0000000000400000-0x0000000000A8E000-memory.dmp

Filesize
6.6MB

Download
memory/1168-109-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1168-111-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1168-118-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1264-131-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1264-134-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1736-95-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1736-94-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1736-93-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1736-140-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1736-139-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3676-2-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3676-1-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3676-137-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3676-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3676-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download