d6888e1635e6b3561be2fc087834784663239060c7dac3a2872b88a94176ca50

Analysis

max time kernel
134s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 06:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe
Size

2.0MB
MD5

bab9489b17e04bcb5b249ad9baf4d4e6
SHA1

c9a7464338544dd91793674b9556655cb3ff6482
SHA256

d6888e1635e6b3561be2fc087834784663239060c7dac3a2872b88a94176ca50
SHA512

937525f44f878048af6ded44cfd12b18b09e060b2c58b01a11152da035a13a8bcb6659c8f71813495e67669ea044db164cea900da187db6cabbba4ce779ebfe6
SSDEEP

49152:TUUDz3cdM6ozqlHym3K7bpKKTYx33KTzPhRQ2Ukr79:TUU336ooSm3GKKinK3zQ2PZ

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	winxp.exe

Executes dropped EXE 3 IoCs

pid	Process
5064	qhzm.exe
1500	irsetup.exe
4664	winxp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023456-24.dat	upx
behavioral2/memory/4664-34-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4664-45-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhzm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winxp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1500	irsetup.exe
1500	irsetup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 5064	2552	bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe	85
PID 2552 wrote to memory of 5064	2552	bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe	85
PID 2552 wrote to memory of 5064	2552	bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe	85
PID 5064 wrote to memory of 1500	5064	qhzm.exe	88
PID 5064 wrote to memory of 1500	5064	qhzm.exe	88
PID 5064 wrote to memory of 1500	5064	qhzm.exe	88
PID 2552 wrote to memory of 4664	2552	bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe	89
PID 2552 wrote to memory of 4664	2552	bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe	89
PID 2552 wrote to memory of 4664	2552	bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe	89
PID 4664 wrote to memory of 784	4664	winxp.exe	90
PID 4664 wrote to memory of 784	4664	winxp.exe	90
PID 4664 wrote to memory of 784	4664	winxp.exe	90

C:\Users\Admin\AppData\Local\Temp\bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bab9489b17e04bcb5b249ad9baf4d4e6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\qhzm.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\qhzm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1500
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\winxp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\winxp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\707D.tmp\new_winxp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\707D.tmp\new_winxp.bat

Filesize
3KB

MD5
de8ec25fa4fd52da544894735ebaba59

SHA1
5aacb28e952c64b3ec045c1b7b9c5d5b5f451d23

SHA256
3683e91b627b135995680593ed4a5a1002e1e6578c0e8b233bcdffbbe19d816d

SHA512
f1d21b1099077b967ee23bb354d9953fa6ebeca95f6339b276aa80b1a0fcc955e57d1cbffbfa9774a828ebac7189c8bc97aeeb577011239e6a26709856887c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
7KB

MD5
e29a24e189e95681bb41f73c16747fd8

SHA1
e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a

SHA256
3973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09

SHA512
4c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
51KB

MD5
ff439d8a48231281a5b95d703c168fe7

SHA1
76094b5540f187bc730fb9ce8265c5d5fd74d4e9

SHA256
403b2c886bf9895534a5ebe14894d64f80ec1f10d01c04480ba68a4b10870067

SHA512
ea3c9ff9f2fb64e271b6b0dcd13db4e70d3e5b71b7d6302692bc46586edb33cb6aacb9c9548f00c17d1b063c430c4fd2807afcf39fbe50d358c89e19c6955d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG3.BMP

Filesize
7KB

MD5
95145f4cead2c4bd2ec219bc87d83f1d

SHA1
5eec034dfc7d9a6d93c21f38dfe2405c8968f6ed

SHA256
0542cb1d3e6b50f78dc63ea1abec6c518cfd4ea203649df3ef3834309ea66cad

SHA512
081d9cfa0bc46a54fcf03a62e5663282d27f56e20fbeafba2833d6267de285a354915c661dd67a3217f4dc2330c7f49babf8b24a5a68ba5a014f5e1e297cc5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\9340[1].html

Filesize
7KB

MD5
78936620dcd91aa700feb25172517927

SHA1
551535be518e68b8df7a411e6a0fb7b76f331a39

SHA256
059d9d2923e8be2fef26f7ed7218f0116748d6ef7646b51cc070a65af29e5809

SHA512
8ac3c0acbc81c8cfefba0d60a9be669bae2d5bdfb2377039b5ad6f5fc6e6b8d50c551cc71ba8076a1083beeba3687d342a2ae49f06f1640ed1dd2efe70f44059

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qhzm.exe

Filesize
1.9MB

MD5
d7be6dd11c15221ae17323d7c8f76f9a

SHA1
c09c009c74b8bfc138201f461863bd0bf0489833

SHA256
990b45eb2dfefe973d793a37bb2724eb4cab9f53e5dfb6677e40273bb0c55898

SHA512
c56df41f9eee438973821e2078cc33d96eb719c0dfac0e802add125d0067bc81ffb0b9db05162ca36fa78a40cdc9756f156bcb0acd5d713c0fc0ea918599b842

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winxp.exe

Filesize
29KB

MD5
b2f489417dee4137886893e18c3fdc30

SHA1
0447c7028e4ccac12394c696bbd7f07d5652dbdc

SHA256
ca81092550aaebd7de322bdc8a5737c6ec332d99cdd9f190c47b61d0a9a184b5

SHA512
62d246dc4ff539cb5fa295ddf83a1304bb141f5585011da8752884400a44ae006bf6dc123bef6cc2db06808b0d8438dbbd34baa3b67fe17ee6fe2a169fd44392

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
4KB

MD5
cca760107a1d1bcc7012ff0a41ec2fee

SHA1
0dd389d339437158717e76b0e98b558dfea30a27

SHA256
f2304f2cf37d11f4b5d465521affcab4278ae4d69b699df8482c43554f14ffaa

SHA512
a2dd0f55886d710495ce990eef4824b236d4f0c34b08e528042342188fe07dab2688a3f4dc9c217cf6a5d090427c42f614e7132ce8aec77eacbbe28a8f237847

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
708KB

MD5
9433d5ac20edcf7d39c454fe2f67b43d

SHA1
b46be8abecd975d942bf28987bbda8686f079838

SHA256
3687a458ea72df00e771a62c3eff33849631c662f62c9bb4fa3c735cc2b51b39

SHA512
50fdfb6d8a5305970b65c772de6b1fe1f4791ea379821853579c99e72dc9c3e36d6e9129451ade3084616996abac84137a4446f9747c195695c5d49fd5073ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
85B

MD5
3092609b1be4bd8253877a0a8d075eca

SHA1
4220fe555dd2713ac928e7d7ed7134846af4de51

SHA256
182b91721b9604ecd91dcc49ae685eb1dad1ca26f953f8667040406723a6dade

SHA512
705e73cb9f161ad5c68ecc090553d66dc0b1c220fe6e5da2d232b1f261f5a855e88e59bf38c8c1bfb9dedde885645a56f7e4598f76c80df7c19dfc8d945301d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.4

Filesize
12KB

MD5
5930543afe37917c8e447635310009d5

SHA1
b012ad5d21489c97e2fdb27728e808200fceef07

SHA256
a084e98c6807381e118d47c1c65c591361f4159d87b3b4386ed347ca60c890a5

SHA512
073080d3233d21936fc8ddafd06bcde8eb15913577b1a7015cbdb3a8af13c7678e65f1afa2036e2fb59eebec55f8fbf025958d8490d13dea05a093534a4aff9b

Download Submit
memory/4664-45-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4664-34-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download