67da3649393a7dd86fb6fbe20afb22381ca5b40e1fce19aaded61d3c1a8d6eb9

Analysis

max time kernel
115s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d74006cd89154b41e9c2050ec831b64e_JaffaCakes118.exe
Size

2.2MB
MD5

d74006cd89154b41e9c2050ec831b64e
SHA1

0fcaae5bc567f67aa35b1577135aeb476eaef904
SHA256

67da3649393a7dd86fb6fbe20afb22381ca5b40e1fce19aaded61d3c1a8d6eb9
SHA512

39aebf5f79356497baa0e9ca08252f41fcdb6a919f58f747434c86f2dcce61916ec2e4fd3512b05adb9961c50f8d4199c37f7d7a71127d5e7757d343cde76b93
SSDEEP

24576:h1OYdaOjqU2Uzf5rilCfBJy1WSyDBXEZc78KU88SUhr2zcJ:h1OsJqBI5rilCfycvchruQ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	ljqqT4iGUw2BPgT.exe

Executes dropped EXE 2 IoCs

pid	Process
3680	ljqqT4iGUw2BPgT.exe
1544	ljqqT4iGUw2BPgT.exe

Loads dropped DLL 1 IoCs

pid	Process
1544	ljqqT4iGUw2BPgT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d74006cd89154b41e9c2050ec831b64e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljqqT4iGUw2BPgT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljqqT4iGUw2BPgT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SystemFileAssociations\.aHTML	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\__aHTML\shell\Edit	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\__aHTML\shell\Edit\command	ljqqT4iGUw2BPgT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DZKAPN.tmp\\ljqqT4iGUw2BPgT.exe\" target \".\\\" bits downExt"	ljqqT4iGUw2BPgT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DZKAPN.tmp\\ljqqT4iGUw2BPgT.exe\" target \".\\\" bits downExt"	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.aHTML	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.aHTML\OpenWithProgids	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\__aHTML\shell\Edit\ddeexec	ljqqT4iGUw2BPgT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.aHTML\OpenWithProgids\__aHTML	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SystemFileAssociations\.aHTML\shell	ljqqT4iGUw2BPgT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\__aHTML\shell	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\__aHTML	ljqqT4iGUw2BPgT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\__aHTML\shell\Edit\command\ = "Notepad.exe"	ljqqT4iGUw2BPgT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.aHTML\ = "__aHTML"	ljqqT4iGUw2BPgT.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SystemFileAssociations	ljqqT4iGUw2BPgT.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1544	ljqqT4iGUw2BPgT.exe
1544	ljqqT4iGUw2BPgT.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	ljqqT4iGUw2BPgT.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3680	2372	d74006cd89154b41e9c2050ec831b64e_JaffaCakes118.exe	83
PID 2372 wrote to memory of 3680	2372	d74006cd89154b41e9c2050ec831b64e_JaffaCakes118.exe	83
PID 2372 wrote to memory of 3680	2372	d74006cd89154b41e9c2050ec831b64e_JaffaCakes118.exe	83
PID 3680 wrote to memory of 1544	3680	ljqqT4iGUw2BPgT.exe	87
PID 3680 wrote to memory of 1544	3680	ljqqT4iGUw2BPgT.exe	87
PID 3680 wrote to memory of 1544	3680	ljqqT4iGUw2BPgT.exe	87
PID 1544 wrote to memory of 2256	1544	ljqqT4iGUw2BPgT.exe	88
PID 1544 wrote to memory of 2256	1544	ljqqT4iGUw2BPgT.exe	88
PID 1544 wrote to memory of 2256	1544	ljqqT4iGUw2BPgT.exe	88

C:\Users\Admin\AppData\Local\Temp\d74006cd89154b41e9c2050ec831b64e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d74006cd89154b41e9c2050ec831b64e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\ljqqT4iGUw2BPgT.exe
  .\ljqqT4iGUw2BPgT.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\DZKAPN.tmp\ljqqT4iGUw2BPgT.exe
    "C:\Users\Admin\AppData\Local\Temp\DZKAPN.tmp\ljqqT4iGUw2BPgT.exe" target ".\" bits downExt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s ".\\1isVvhbj1w5J3M.x64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\1isVvhbj1w5J3M.dll

Filesize
863KB

MD5
bea90db8907c61f6d3ce2d3882834fd3

SHA1
e0f71271e501f7575de620fa556b230433abdec2

SHA256
4df4246e0696f16ae8f2b57ba9b485b77319ca1791347cd72a7e4860d8654de2

SHA512
40704e0976739779a78f256c0f5fc43590661268d8e03ab13f91882ad2974dcb8fc4dfe9d722798565d64d410bd137b7d3bae554fedf90b17d1aa5cb39d33851

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\1isVvhbj1w5J3M.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\1isVvhbj1w5J3M.x64.dll

Filesize
945KB

MD5
9f655d0e8976c1e3602189abb18bde1c

SHA1
e447ee4389a1382db8ac9b54eb47b1918a761f2f

SHA256
abad39ce6c3f88900d848c6073e47daea5d4686353f947988b177b99cee9f585

SHA512
26135644d7708f0b4adcb53beeca07bc9523bc9287027f678f788b96811d8cf24462376487368ce35174c020838b9b1ed8cdb25c42263b110335e4ab3b4eebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\emjndmmjpinkmjpnenjbmglgcnbkjjog\Z30iftFh.js

Filesize
6KB

MD5
6690f1642d21ab7b5ac99cc7e63bcb87

SHA1
66e77d20c07345f06450a152cda00b926887224a

SHA256
ced1f50c4118fa5b767f5dccb79f21f2119c043a9534d550c639eac61aa72692

SHA512
1a34fe24db0ba9fcc9868c2968705400023baacbedb93a524345186f94b19a8106f662e9fb6ec93894ece17b31b106ba3a482feb31ac6ba3b087e61d1f034a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\emjndmmjpinkmjpnenjbmglgcnbkjjog\background.html

Filesize
145B

MD5
ba2aac6c831289b78b1581b946e4c837

SHA1
51845dc122da5ba8333b968675fef78b5bba1937

SHA256
a4be0e7a407b9f386c56d17e8634e22b8c216789bd0925d699c67fdd926a5796

SHA512
df5cd920980ffd795a22852593e32456e6506e08528c88dc5bf1d6476db7d4fc62f121500d9eb9c589429900536406c64d5f028cb25093c0c232346426ce74fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\emjndmmjpinkmjpnenjbmglgcnbkjjog\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\emjndmmjpinkmjpnenjbmglgcnbkjjog\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\emjndmmjpinkmjpnenjbmglgcnbkjjog\manifest.json

Filesize
504B

MD5
7a5971b2e4243e1c2a49dd980c0e93fd

SHA1
eaf87bf63062f868ce1088c7681d2012e5de94fd

SHA256
407e4c39d3b8d4e66ded1f8412887321eaebe60206e659fd01146d57953cd024

SHA512
ece4883be86b9c5eab156165450e6924fdf996801b7e3739742b1ecd7a213e2ce042d0d32e3f7f0442e3c13540c01c8cc081824ea3fa3c7f5a1c422f674e65f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
d03e5dbbcf8e7a210a88cfeb11629948

SHA1
7e745b4335a923883233edcfff2a946a7643d014

SHA256
8d7cac42c1d17bcfe6b35386742922825029cfacd50c3a187acfc54377b1a5d7

SHA512
c86fc0ca17bd0920a9348c0866b6ee18d406238a43bace149356bcc30533af9567ed41f17ed8534f439e95ff2d5632fa5d0297219a2e07d3ef4706c011235785

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
b32568136038681b2047fec9c121ab2a

SHA1
c543deb3ca091358f0e0f56568fb6900de6417f0

SHA256
274d2c1b4c8a1a5714144e68805e11c0ecf3a4b7ef9105d126fa8cbbde9962e6

SHA512
cb4cac8bde21b2fc925d3338b9ed66d43d7110c648888cad6c4646616db1d4e11d52f87420af9687261ec506695319617a5e8f906b44a7009dbf8ed98910daac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\[email protected]\install.rdf

Filesize
597B

MD5
da527280dff079988a93ca2cad01913a

SHA1
c2de1a0d847f0ea8819f9b59520714354e461279

SHA256
8b8a3715261c89c6e855f165d079a6e388c5b4e8338218321baf4baf4104ad6a

SHA512
059577e8b655541553aa4e2b952c077bb45d882126b5001f35e0a3fd88a500254c31e460b17a5e96388aebbd6c464b60d5681d49c7afb9228f8c2a9f2ffacf26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\ljqqT4iGUw2BPgT.dat

Filesize
14KB

MD5
27c1224454a263bc8ba38e2be818c38a

SHA1
636fdcb763b1c43046611dfc3dbac5f2ae9dcb53

SHA256
68c28cbc75a8b582bdcedf1c12460056d2a951cdbcbf34672364edd4ef7dd402

SHA512
d1a1e73e4ad2391e372497304ace443182737cfa5293d5940ec49672ea98cd74f145ed3db420552997bcdfe4a081cfcd19fa2e907cf1de79bc793063cd2ad3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\ljqqT4iGUw2BPgT.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit