ca5cf4d992edd06dba1dc111bf62894c359d47127266f49a23904934c3939ef9

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe
Size

378KB
MD5

cf31e5f86a2597674bdc0d20bf977d8e
SHA1

115d96043f9921f1a021dac144882ab7df55b647
SHA256

ca5cf4d992edd06dba1dc111bf62894c359d47127266f49a23904934c3939ef9
SHA512

f3f84813871dc578d9fd2a59b50f53e8b5b16f7d9ceb43ac0c288d6a32b5bb49371d3b7f3e2e72f46c572f3aed0b4491a07518c35f09e9c78e70d2099b0fcd9b
SSDEEP

6144:BfO9U+k6d/IVqQhPBDGfn8HGlNZJV3zer5pmJ/cSqIe3W2HJVOCaZQUdLeonr:c9UgtQhDHGV/KrTmJ/XqIem28QCDr

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4808	ldwc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinHttp = "C:\\Users\\Admin\\AppData\\Local\\WinHttp.exe"	regedit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 1048	4808	ldwc.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldwc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4156	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
632	EXCEL.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2776	2692	cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe	83
PID 2692 wrote to memory of 2776	2692	cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe	83
PID 2692 wrote to memory of 2776	2692	cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe	83
PID 2776 wrote to memory of 632	2776	cmd.exe	88
PID 2776 wrote to memory of 632	2776	cmd.exe	88
PID 2776 wrote to memory of 632	2776	cmd.exe	88
PID 2776 wrote to memory of 4808	2776	cmd.exe	101
PID 2776 wrote to memory of 4808	2776	cmd.exe	101
PID 2776 wrote to memory of 4808	2776	cmd.exe	101
PID 4808 wrote to memory of 1048	4808	ldwc.exe	102
PID 4808 wrote to memory of 1048	4808	ldwc.exe	102
PID 4808 wrote to memory of 1048	4808	ldwc.exe	102
PID 4808 wrote to memory of 1048	4808	ldwc.exe	102
PID 4808 wrote to memory of 1048	4808	ldwc.exe	102
PID 4808 wrote to memory of 1048	4808	ldwc.exe	102
PID 4808 wrote to memory of 1048	4808	ldwc.exe	102
PID 4808 wrote to memory of 1048	4808	ldwc.exe	102
PID 1048 wrote to memory of 4156	1048	svchost.exe	103
PID 1048 wrote to memory of 4156	1048	svchost.exe	103
PID 1048 wrote to memory of 4156	1048	svchost.exe	103

C:\Users\Admin\AppData\Local\Temp\cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldwc.bat
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\.XLS"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:632
- - C:\Users\Admin\AppData\Local\Temp\ldwc.exe
    "C:\Users\Admin\AppData\Local\Temp\ldwc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe "C:\Users\Admin\AppData\Local\Temp\ldwc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.XLS

Filesize
274KB

MD5
a8f5a15bd48765d45b5892831cf6e3ad

SHA1
269511ff8aed590aa78d15de949d2500b699f360

SHA256
c5d4e3cf03b0bb55c1c9a8747c0a78b20695848e46d1539b66bc98f945eb2782

SHA512
b6a94aae92cd30d49f25176d1c902d8b79a3f789f4974605e9f8a127c28edc61105cb5d89ef763072719014fd12ed35c5d77a46f7e327bc3064edfc03008aba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldwc.bat

Filesize
30KB

MD5
cdc511797f0a2a7ccc9c98b0e23cced6

SHA1
ebb2a3995c60360736c149439c10b53d8a5d8208

SHA256
86a7fb087b3159afe94f22af50f920f73b050721a963420f974ed6b0ce6e9f98

SHA512
861c2be319173a94a0c949af40b6d06bec2da0adc10b81834c090cb767d7fa64ace44db5194703650fe0b4e6fb1ab707e50fdec816941822caac7f290f0f732a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldwc.exe

Filesize
36KB

MD5
996376a04c664c6e762f78e98b505b92

SHA1
7b01c9a52bdafd1b2d96cecde9053b06e537d7b6

SHA256
55cf68d7c6884777f7e39c939c4ec10d97f2d9fa825d6e6570f541726310d2b4

SHA512
b7c7b1575fd6080670cac6c36b908f44113403a23031515bb701ac5ad6b5b8290ce97797e33cbe0c108148700dfccc234e12c6e82850451c74e750e8b6486a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\~awinhp.tmp

Filesize
880B

MD5
860ab7bb93aa536bab838370b5950660

SHA1
ea29947e1fb102a79627489ff2d508faa875daca

SHA256
ed142b0616661419b999e2dcfdf87eef9093dd86d752378382a0e1ec0be55dde

SHA512
b21cfd4b3228fe1e48e9d84f3055422f4c2358b151b94a0eed5243174a20a752f46e1be8acaa70adb48d3b81083ab680d736f8337fb5f9e410a99fde9388c2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~awinhp.tmp

Filesize
995B

MD5
2a10c6c788758432660545e967a730a2

SHA1
dc97eecd938fddab8084b61655c10df964d151bd

SHA256
68311d21296fe85a5bb31200336dc0d1dd3db172e35fd691ba5994cbb2af4e99

SHA512
41ed816d2be36becd848ee585d42dbea75b9cd5e2f29a70240480994926772254a9e338863e9154e9f939402ad5082f1694c20f0173937c77f1085d7518e1267

Download Submit
C:\Users\Admin\AppData\Local\Temp\~awinhp.tmp

Filesize
1015B

MD5
ef6d7592b4077cd9b8dd2a249de96810

SHA1
62b9b7e170e9d966be478f43c901a7d9a0aaef09

SHA256
de7a7994d28c7c75055cef024b297a99382cdcdb787b50333a6f6aa4832aa412

SHA512
1d2e56a752eed59892327ab992a04695ba9b88d33a4f7f7fb226e48e94310df43fc20ba6453d8f8049b9ee9532fbc61a79b371a4086ffb9c98d157d5ad278a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\~awinhp.tmp

Filesize
1KB

MD5
f6948cfd5cda6665e85ac7dcb6417ddd

SHA1
7904e21c5da15341d529afb3af706cb5b7b75aef

SHA256
a831ea1a4cb9e863330b9b925ecccb16f2f65e99a968af75204bbd988d6c81a7

SHA512
64bdc1486013e3d3dcb0a6812052a4dda5bd3dc08717a5b1159fc5f658324758a924de8f85c619ed129d83aaaf20ab0a762fe7cc35d6b67c95c504ae6f58af67

Download Submit
C:\Users\Admin\AppData\Local\Temp\~awinhp.tmp

Filesize
1KB

MD5
d1cc68b9e3c89f794dbcb9960c2b51d1

SHA1
3bbb89c40c5d26bf7fcfcff48b31d0e30997d496

SHA256
9b5d7822d8760e1d1133fd01fcfcd64883a0b95831d44658b0ed6f8e8598562b

SHA512
be9a4d4f431e2d77d387e4766ae7facccfa8c60b9ae3d5effc2c468ecd7db6b7ed28bc1b24ff595d83f8a31ae1353147143fbf2ca11c671f176d503aa50433b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~awinhp.tmp

Filesize
4KB

MD5
2be064f48a055a26202c86fc075640eb

SHA1
c8bde7ea195c1ad7a15c7141d58310b3a6cc8858

SHA256
80816c46c49e47d4e048a6a00c1816b39b7c68de298fef029eade88f1592376a

SHA512
4ef352bd51fb25940f3064e8412df0f2b206758d478c2e1dc154783215b8a6e25d70d26d686815b6ab18a465d5860b73c349b50fc1c9eb258c46c30356f5b017

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
166B

MD5
f44153ef26be29552cf320325ad8b72e

SHA1
74ac72ba2ff0f871e59b11c95ad707372662370c

SHA256
767009fb8726500a4bc54b2ee744cc3ada64fdf16a44e22ff9dfe7652e2a439f

SHA512
1d42a4dba1d8d0df9f8fedfba384ffdbcff3103c8ba360f255b5d7e8a46128f40521e4d16cf6de04365b3b6ffad8bc681cf7042d92867ab3d912601a3d5e6e65

Download Submit
memory/632-1020-0x00007FFF10E50000-0x00007FFF10E60000-memory.dmp

Filesize
64KB

Download
memory/632-1033-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1011-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/632-1017-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1016-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1018-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1015-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1019-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1010-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/632-1013-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1014-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1021-0x00007FFF10E50000-0x00007FFF10E60000-memory.dmp

Filesize
64KB

Download
memory/632-1022-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1023-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1012-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/632-1009-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/632-1035-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1034-0x00007FFF5302D000-0x00007FFF5302E000-memory.dmp

Filesize
4KB

Download
memory/632-1052-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/632-1054-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/632-1055-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/632-1053-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/632-1056-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/632-1008-0x00007FFF5302D000-0x00007FFF5302E000-memory.dmp

Filesize
4KB

Download
memory/632-1007-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/1048-1061-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1048-1064-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4808-1062-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4808-1059-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads