b7b3672cfe67d75ac1b7a99786b61c5b094388e9786bd6feff80bde7f9a8e6be

Analysis

max time kernel
95s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
Size

487KB
MD5

f57f9cbc889253a4af0c22e9124c4355
SHA1

38815009691932ddd1c57819f2fd90368bd33fff
SHA256

b7b3672cfe67d75ac1b7a99786b61c5b094388e9786bd6feff80bde7f9a8e6be
SHA512

b36f6776de1f131c3e1cb2b518ac34f6dd19610b2b7abb4178e7a3c7df51a9d187755e252a133b4f2594a80e464413d60f6ba4a819978a5880e604ecfc339be4
SSDEEP

12288:9JB+hGcEYFw1Ud7mtUotK6ONqOePOHnI2aPyvI:9fG7yztrwq3POH3aPyvI

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	cmstp.exe

Executes dropped EXE 1 IoCs

pid	Process
2784	cmstp.exe

Loads dropped DLL 1 IoCs

pid	Process
2784	cmstp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe

Suspicious behavior: LoadsDriver 14 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1220	cmstp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2784	4484	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	82
PID 4484 wrote to memory of 2784	4484	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	82
PID 4484 wrote to memory of 2784	4484	f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe	82
PID 2784 wrote to memory of 1220	2784	cmstp.exe	83
PID 2784 wrote to memory of 1220	2784	cmstp.exe	83
PID 2784 wrote to memory of 1220	2784	cmstp.exe	83

C:\Users\Admin\AppData\Local\Temp\f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f57f9cbc889253a4af0c22e9124c4355_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.\cmstp.exe NL-L2TP.inf
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmstp.exe
    "C:\Windows\system32\cmstp.exe" "C:\Users\Admin\AppData\Local\Temp\{37FFA9A0-027A-49DF-B5DF-A41FD22A29E7}\NL-L2TP.inf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.dll

Filesize
97KB

MD5
774348de1dea6262e06bfe1906d13d4d

SHA1
4a14b774809ed123e19ae349c32631e1f25de51e

SHA256
bae10cb915e197485823414ee42743a631299ade58724eae780b3850937e877e

SHA512
1743a9fe2f1dd88ca02673fa1d038cfc6861a3fb3202e6738ab63b72407f0746012fcb95c8d21d6a3f37234b40aa5a2bde7aabcb4de1b5238f4adaffbccbe037

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NL-L2TP.cmp

Filesize
132B

MD5
3bad69bc69f20528870300594242c7b0

SHA1
cf9f7efce335e5c73d24bd7bc9b58e26d82e8b62

SHA256
186e607f7f4974f0fcf497b8c1d6a56d5dd389be688ba62f01005a456dea7c97

SHA512
ef66141a36d578ac23c07d21be54ef056cb6e52d5290567ef5a278668135b1aa98f0850365a14c4600dcf2a70f377588e5f4d734a08e0d09430fbade9886421e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NL-L2TP.cms

Filesize
2KB

MD5
730f1f395558588881c3a55a9e4665ac

SHA1
d5bdfa812c2761c2d046cf48bd49fde9e1f99b37

SHA256
21f656624953cceb2f1fd658aca35fd43c0986d22e93f5ff9eee14853c190e0d

SHA512
050b027333c5c0aeb6b333d3b8b635e42279f94b0477644f60d908eec87403468cb908459780a25eadbeb8ba8885b91b935a246bc4a4c146a98b1ac392f8feb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NL-L2TP.inf

Filesize
9KB

MD5
b32837f4e03e3fd2006f11f66eb1ec2a

SHA1
6cd9ec806b7a8df5f5172d9806d8d2df03cddc5b

SHA256
26b6fab465c9dcc47d5d0b1b1a99dd66226a6609240d09a4258153fb1e2a31eb

SHA512
78c7e5ffec03c1c28d8ed2f73dc65ccdde3160b119061943712a81c4cfe616bb087dab8b3e498e71254c55521d59af90946d10bd27113d4bc4459f28a8388d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ccfg95.dll

Filesize
32KB

MD5
614f667fa7a81c1c7b5ed73575a808d2

SHA1
b06495b84b2625000017c8561f1aa22fadaf85e0

SHA256
bff2edf1550214df27fa6fd2e025c48bf876dcc7ef8d2ec792231fe810550379

SHA512
37d184d988954d56743e7ba0d78b80f75d259ed792b5413f64b5e6da1d2916ce61a58f2a3d89bfe2eb6a96a3e6ae30b2d0d7d03d47182a5cd626812561d4de73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmbins.exe

Filesize
328KB

MD5
4c7b845891ba9b39427cf52c81010a9d

SHA1
9487857b7dbf37f4e03459a99cf27b810db690fb

SHA256
8b6cec8fae83a7b685ab8d362503ae832c98cf5b194fec85f3548b268cd9f4d4

SHA512
57c2d8c3eee0e24641b2e53147885991e39b8c32818a7c0ed87644b855abf3c86fcbe10db5f187c8daf528a630dd46e6ef0a38e2c4da3b112961da610932fb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmexcept.cat

Filesize
9KB

MD5
6c9ecbd57b92c5f431d93384329b9443

SHA1
f60386c95d307069905c97c25c33451c45b2b4d3

SHA256
35394c07132f1f54cade654e02031d933ec0e64deeb9da390e39182f35084e97

SHA512
e534ebbf261fcb93ef59e3843365c6720fe9c02dc2fdb78c7d1461a376b020f31ef8cc1e89252129121ef1fe34526552967123f2852f9c1091e28fb680eca758

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe

Filesize
67KB

MD5
92f5c85c3661bc65c87f161a6be90906

SHA1
5dc0cf894bd2fe89671f6116510348b959ef3126

SHA256
397face88489a020998d2ef109e9e8d864eb3628aafe47ba2f0f9bb37a4b5b37

SHA512
0d4e747a743ac402295bd67eb74e969199ba60cc791fcaca107feb50ef50e43ab01a3bbfd1d3e6d1128b5cdc2daaad59d7afbc735de8845e006c33fe018df107

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmutoa.dll

Filesize
58KB

MD5
03a18b276488aa7c05d364de09078e32

SHA1
f8a28ca9105af4d40a78a706a768b394408b4d5b

SHA256
f007ac455248d1850a1bc009a6fe2404f5a597a180ddb41dd66622b51fdd7b03

SHA512
1027c486a4949126c0bd323620dd68a956f297731dd97ea9dd441dc4511c0beaec61c82eaa37d19efd0255cb8434a181357f3bc95a4d9d379fd8b71592028899

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cnet16.dll

Filesize
43KB

MD5
e9a60cec3a4ffc7ff23c3609f6edefd2

SHA1
c78c64d660858371e767fb39c60030d565b07032

SHA256
c461d6902f50790cf5e4ed023e08317fd7ee19dc8fbff6b81f81bc3052e51383

SHA512
91d77b07a1920c131de3ce7628eb4d8f652018fc944bcdcc3f60e279636145cdeea4f9ede9875284b5466eace875cdcee44217495ec174b3eceb4123b69c8615

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\instcm.inf

Filesize
5KB

MD5
d50d9154c5c2baadcf9138bd9a47ab2f

SHA1
1ccf281b3f844738596b8a1fa021be9958f96f2f

SHA256
b40284078df9e51f2d794c583cf61b72812166bcfd68949e6ce1729389890d79

SHA512
827e551d6dc4958b913343d2845ebd36855cd9dc3f56bb40aa9c1b8d54047edd18d1dfd476e653c2ef2a9d0ef0618202f65ce260de64c0211a92d6e912f1586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf16.dll

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf32.dll

Filesize
4KB

MD5
3ba72f4c922e9da0b0a7e4d4389eb4aa

SHA1
ca47ee77ee1be35f9193e915d0b8f1670dc16809

SHA256
c479a4b72168fab7ae6b93f7b74cc93ab05a314646330a73be56aca7452b7d72

SHA512
0f8a4a63b9b4489d713091dc04c35260e24a418975137bcf5f80a2e5253014093c1824be95ce3c10a8fa55c29101df46e89c52a15447fbc902986ada464213d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{37FFA~1\NL-L2TP.cmp

Filesize
82B

MD5
5a9b52186a973e8d5ab16fdb8b203787

SHA1
9a801de5c1b621817807cad539c32295b0112369

SHA256
c7f45667cef5eb40469503cc5024c55e0470339c39f4fbcaa201956429efb42f

SHA512
5ec200bec5a5b8b99511a118e41d4423c3c7512ac4b48f1cc903717ae9ede93f213518c69870efa8a8a0ff73b73a55383ef2dec539bb0fa40308fc88c59fe5b2

Download Submit
memory/2784-68-0x0000000000530000-0x000000000053F000-memory.dmp

Filesize
60KB

Download
memory/2784-69-0x0000000000540000-0x00000000005B4000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads