40bd57cc6c154b404d18f74fe7ac51c05c6d8f5003441c37682764cd48700b8e

Analysis

max time kernel
95s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe
Size

2.7MB
MD5

d42b78a62f13933eacf382938e34be19
SHA1

f33b76769d05e63c209614af29069c688518f8fc
SHA256

40bd57cc6c154b404d18f74fe7ac51c05c6d8f5003441c37682764cd48700b8e
SHA512

2b6015955095cb876f2aff485e6a107adac6599dd72bf69ee97cdbbf2a9546c4132ca19913014dd7781a9b0d3931ffbb22da54de31334befa5ecd7fcddd9aaab
SSDEEP

49152:vvnKZgzXLFG5ZE3gc+hRRHxgSSzvB7D2kJaJ4wrUWd:vPKibSZRp/qhD2YafrVd

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3156	CCleaner.exe

Loads dropped DLL 1 IoCs

pid	Process
3156	CCleaner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCleaner.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234c3-35.dat	nsis_installer_2

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3156	CCleaner.exe
3156	CCleaner.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3156	3036	d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe	86
PID 3036 wrote to memory of 3156	3036	d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe	86
PID 3036 wrote to memory of 3156	3036	d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe	86
PID 3036 wrote to memory of 3156	3036	d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe	86
PID 3036 wrote to memory of 3156	3036	d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe	86
PID 3036 wrote to memory of 3156	3036	d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d42b78a62f13933eacf382938e34be19_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\Data\local\stubexe\0x53054BEAEC2307E6\CCleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\Data\local\stubexe\0x53054BEAEC2307E6\CCleaner.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Data\local\meta\@APPDATALOCAL@\Temp\CCleaner.exe.__meta__

Filesize
32B

MD5
806c6439d4f065f34546bef1c947085d

SHA1
930726ff4939ad9854a1deed704bc57a7d934cfc

SHA256
5ceb2c89819cea84d89aa6242a807ed7a81ed4ca958237d7f74931b22edb1460

SHA512
8c510d3fb895631568666b433be09aa39d0cbb50aa2a8763b0a014db520e1df36f6705c4a165600c38ef21430c5ca1b9a7c6f013cae23080aca0a360a2c2adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Data\local\modified\@APPDATALOCAL@\Temp\CCleaner.exe

Filesize
47KB

MD5
5d0babf4b42add240cfe32ce5827bc7e

SHA1
de5dfce715a30e501df918902b3932dd8f509cc9

SHA256
be3a5333a0db64c2c41601be804de4a49996e181cac0eb46af7d0e250f58fcfa

SHA512
f7281c3a54510585b6f0f91ac78cbf177e529345b84c1db6204fabed399829fb6bcead091f714d4b4fe8237e052453c098b96de34e863f4c9688ad0e7dd0ca50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Data\local\stubexe\0x53054BEAEC2307E6\CCleaner.exe

Filesize
24KB

MD5
4c8ddd6363d13632a9456c0a092b8a31

SHA1
f6b6d1f796c4442c27c027f52d415d0313330fd5

SHA256
7aaac34fee43daf38a04a2bcc2675f674c0c91dab0e69296518bd4b07c88c4f5

SHA512
9c981ddfb9c6d3d33912cc170a21644e465d2a6407b9c977bda9295ece0da8b0e6097ebfe8b7fc5ab1632e931092067a6e76cd5afb05ffe45a688c42dc888966

Download Submit
C:\Users\Admin\AppData\Local\Temp\Data\xsandbox.bin

Filesize
16B

MD5
ec3d19e8e9b05d025cb56c2a98ead8e7

SHA1
748532edeb86496c8efe5e2327501d89ec1f13df

SHA256
edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4

SHA512
175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

Download Submit
memory/3036-25-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/3036-86-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/3036-16-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3036-5-0x0000000077943000-0x0000000077944000-memory.dmp

Filesize
4KB

Download
memory/3036-23-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/3036-22-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/3036-3-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3036-17-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/3036-13-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3036-26-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/3036-12-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3036-11-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3036-8-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3036-7-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3036-10-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3036-9-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3036-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3036-4-0x0000000077942000-0x0000000077943000-memory.dmp

Filesize
4KB

Download
memory/3036-24-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/3036-14-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3036-89-0x0000000000CB0000-0x00000000011CD000-memory.dmp

Filesize
5.1MB

Download
memory/3156-84-0x0000000073840000-0x00000000738CD000-memory.dmp

Filesize
564KB

Download
memory/3156-64-0x0000000001C30000-0x000000000214D000-memory.dmp

Filesize
5.1MB

Download
memory/3156-85-0x0000000073840000-0x00000000738CD000-memory.dmp

Filesize
564KB

Download
memory/3156-66-0x0000000001C30000-0x000000000214D000-memory.dmp

Filesize
5.1MB

Download
memory/3156-67-0x0000000001C30000-0x000000000214D000-memory.dmp

Filesize
5.1MB

Download
memory/3156-82-0x0000000073840000-0x00000000738CD000-memory.dmp

Filesize
564KB

Download
memory/3156-76-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/3156-77-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/3156-83-0x0000000073840000-0x00000000738CD000-memory.dmp

Filesize
564KB

Download
memory/3156-81-0x0000000073840000-0x00000000738CD000-memory.dmp

Filesize
564KB

Download
memory/3156-62-0x0000000001C30000-0x000000000214D000-memory.dmp

Filesize
5.1MB

Download
memory/3156-63-0x0000000001C30000-0x000000000214D000-memory.dmp

Filesize
5.1MB

Download
memory/3156-61-0x0000000001C30000-0x000000000214D000-memory.dmp

Filesize
5.1MB

Download
memory/3156-70-0x0000000001C30000-0x000000000214D000-memory.dmp

Filesize
5.1MB

Download
memory/3156-65-0x0000000001C30000-0x000000000214D000-memory.dmp

Filesize
5.1MB

Download
memory/3156-69-0x0000000001C30000-0x000000000214D000-memory.dmp

Filesize
5.1MB

Download