f1b06603bf2c7c0716eefbce73cda85c718d7e0ea37f25cb2eee8c976e88182d

Analysis

max time kernel
140s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 12:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe
Size

224KB
MD5

b78d89cf86648b3257b85fb257e6b1d5
SHA1

a8aab2fe04b65867ea11826c8ac50c9bb140ca71
SHA256

f1b06603bf2c7c0716eefbce73cda85c718d7e0ea37f25cb2eee8c976e88182d
SHA512

5d78460dcc336df84e64cc2b121b0bc765e92472dde7e507e683a4aa9ee20ce67ee3aebe00dce79aa10623801a591452b9eeb8c6c5e6543b818fc3aa08c67d8c
SSDEEP

3072:2XDpNNe9DqIkT1BXvVSk9A/3O6PBVV4FN8qLL3kLYoYFQEIKXq+KmN/yQeisc850:QHvnj/QoW

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\nddktwwnxhbbhn.reg	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinRAR\READ.TXT	WScript.exe
File created	C:\Program Files\Common Files\tk.reg	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WinRAR\haqqowxie.tk	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe
File created	C:\Program Files\WinRAR\haqqowxie.tk	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\My.ini	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptEngine\ = "JScript"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "open"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\??(&R)\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "????"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Edit\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ScriptHostEncode	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\ = "Open &with Command Prompt"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.54600.com/?byme"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tk	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "JScript Script File"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\IconHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers\WSHProps	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\DropHandler\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\ShellFolder	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptHostEncode\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Edit	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Print\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe /p %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\PropertySheetHandlers\WSHProps\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4804"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Edit\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\Command\ = "C:\\Windows\\SysWow64\\CScript.exe \"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "C:\\Windows\\SysWow64\\WScript.exe,3"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\??(&R)	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "C:\\Windows\\SysWow64\\WScript.exe \"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID	regedit.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1980	regedit.exe
4736	regedit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3732	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 1712	3732	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe	91
PID 3732 wrote to memory of 1712	3732	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe	91
PID 3732 wrote to memory of 1712	3732	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe	91
PID 1712 wrote to memory of 1980	1712	cmd.exe	93
PID 1712 wrote to memory of 1980	1712	cmd.exe	93
PID 1712 wrote to memory of 1980	1712	cmd.exe	93
PID 3732 wrote to memory of 3860	3732	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe	101
PID 3732 wrote to memory of 3860	3732	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe	101
PID 3732 wrote to memory of 3860	3732	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe	101
PID 3732 wrote to memory of 4788	3732	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe	102
PID 3732 wrote to memory of 4788	3732	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe	102
PID 3732 wrote to memory of 4788	3732	b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe	102
PID 4788 wrote to memory of 4736	4788	cmd.exe	105
PID 4788 wrote to memory of 4736	4788	cmd.exe	105
PID 4788 wrote to memory of 4736	4788	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b78d89cf86648b3257b85fb257e6b1d5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Program Files\Common Files\tk.reg"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Program Files\Common Files\tk.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\SysWow64\WScript.exe" "C:\program files\winrar\haqqowxie.tk"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Program Files\Common Files\nddktwwnxhbbhn.reg"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Program Files\Common Files\nddktwwnxhbbhn.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs .reg file with regedit
    PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4020,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\nddktwwnxhbbhn.reg

Filesize
2KB

MD5
d474c6bc8e1770470c500c6a22cdf862

SHA1
d9fa98d459168d85f0835e8dd05c97dfbd04d053

SHA256
32a025aaf86cdeb4d3283ed2f6f330c2848d807769753bc8385ee87bd08667e9

SHA512
049ae24a952f999a2d634b24565416c5a8fb64a06791c397899d2198086b43b1629d22be1218b7c875a2f36935c10426cb0c5dc535417cbd3b62e6dc373bf714

Download Submit
C:\Program Files\Common Files\tk.reg

Filesize
2KB

MD5
ad9792973a4abb08339cbd25c008139e

SHA1
177a0b9883fa26127dac9b213cceb626d5a289e6

SHA256
dc3e37b68398faa05cd30eaf0ead9de7b32e75a5a4e7aa7c864efdd2fd42886a

SHA512
b619a6e97646eefddca1b02be9ed47133d91975bf113d2eead95bc2bdb5f64ac711cc0a12e7de5ce048816612a7e9084454eacc474624f80b2ca93cc80a6eb10

Download Submit
C:\program files\winrar\haqqowxie.tk

Filesize
30KB

MD5
8da7beba72eb959a4c208aca98c04918

SHA1
d6577682ba0c04ba2e1122423884a453adafd71a

SHA256
54a1bf8074ca6d731f7350d267f685b0e9f2f13e499dd909d9d67db82bea6d1e

SHA512
aca77f39aa217899b53bc20ba57332744f3d44f1bfb7c33c78b82eaaa5bbda82c16598cb08e8000f66ee2420aa615e1b1990cee760695858e4599fff5ce707f5

Download Submit