6f2642da0cee6e4ed6866607761f92effdcf21171a0540abbe519732eaffdcf7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 04:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
Size

1.1MB
MD5

d10f3e52e0170d2ba634bdcfa9ecb43e
SHA1

41f0d67afed5c0838ef0adb047c34875ec80c5b0
SHA256

6f2642da0cee6e4ed6866607761f92effdcf21171a0540abbe519732eaffdcf7
SHA512

bcd18abc261ea0382656610ba42085bf184c5faf8772cf7bee9b279185eec9bb1a0a52509ff0c1cd3b9279a1cdca329dba41649d9d262f032f1ec14132731228
SSDEEP

24576:6ArW/8hh0FQAq7c8nA7YMv3+DpBNPRI9ovlG4XozaEhptdPYfCG6bYVxXNVD8pVv:6e0mfW3YNPRRlG4saIprQNy

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2484	2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe	86
PID 2608 wrote to memory of 2484	2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe	86
PID 2608 wrote to memory of 2484	2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe	86
PID 2608 wrote to memory of 992	2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe	87
PID 2608 wrote to memory of 992	2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe	87
PID 2608 wrote to memory of 992	2608	d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:992

Network

DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

htl5656556.u1.luyouxia.net

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

htl5656556.u1.luyouxia.net

IN A

Response

htl5656556.u1.luyouxia.net

IN CNAME

u1.luyouxia.net

u1.luyouxia.net

IN CNAME

b1.luyouxia.net

b1.luyouxia.net

IN A

123.99.198.201

b1.luyouxia.net

IN A

111.173.80.157
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

123.99.198.201:53071

htl5656556.u1.luyouxia.net

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

260 B
5
123.99.198.201:53071

htl5656556.u1.luyouxia.net

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

260 B
5
123.99.198.201:53071

htl5656556.u1.luyouxia.net

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

260 B
5
123.99.198.201:53071

htl5656556.u1.luyouxia.net

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

260 B
5
123.99.198.201:53071

htl5656556.u1.luyouxia.net

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

260 B
5
123.99.198.201:53071

htl5656556.u1.luyouxia.net

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

260 B
5
123.99.198.201:53071

htl5656556.u1.luyouxia.net

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

260 B
5
123.99.198.201:53071

htl5656556.u1.luyouxia.net

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

52 B
1

8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

htl5656556.u1.luyouxia.net

dns

d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe

72 B
135 B
1
1

DNS Request

htl5656556.u1.luyouxia.net

DNS Response

123.99.198.201

111.173.80.157
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

22.236.111.52.in-addr.arpa

DNS Request

22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
2004bcee923b0e0222f4cab87c2c2a3d

SHA1
0a3c122b7cfe403403d913ecc1b328480b1bfc2a

SHA256
f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

SHA512
cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
735B

MD5
41de862d61a3e071cd3050e2eadf59ab

SHA1
0ac21f7a7dbb9e2ba601ba84ce4d0ba86cf119d1

SHA256
1e46176cab0c32ed1b78663d61c1729c6d1a7bbc79f02cebb604c0de1109c844

SHA512
65ddafeae0ad19104a342efd2b77a064736ea796a2d9f802f6081e55e6a2d383990f5e8a8558257cf8c9a905fc1baa2bf8efba7db802555a788abc36f80461ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
23f637a3810959f3cab1406b9b0904bb

SHA1
9d3e0c425c156c72e167a07155066880566e649f

SHA256
1d02e25a23156be13afa686f1bb5437ce9591f02c985a9f1028c895f90ba72b0

SHA512
83b66add76ba76a5ca6fc95f01c5d19a9758dce475d87f0da065d769e661b7d01d3b848164cc74f824aabf38c64a79af927d6deb47558153010b949386d8fd53

Download Submit
memory/2608-0-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2608-16-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2608-19-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2608-22-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2608-26-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2608-29-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2608-32-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2608-35-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.