ddf6b3e3016c7bac7a0084029437bdd26e13c9decaafaed3b4129c424e2f6edd

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe
Size

217KB
MD5

fee0cf8b5f5718349a315107b888dd07
SHA1

ba664741049f68bb1a2ad94dc563a6900cba5b0c
SHA256

ddf6b3e3016c7bac7a0084029437bdd26e13c9decaafaed3b4129c424e2f6edd
SHA512

a28a962cfd9e911174a00e805282e2a61c1ecbcc5c43f8a428b4fd72c382bebd942beeb00c9d02ea3e40b7c1ad8c6fb1373239805d4048e42b0b5e1ea65797af
SSDEEP

3072:EDK4uehiqiXNHnHm0I/2b3rAHfITjIJxMRcSX2jGJq/04mPT4wDU4XtM4h9BZgIV:MK4uehiqYH3D3LOSyGRVPT4QXXveDlf0

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4688	ctfmom.exe

Executes dropped EXE 1 IoCs

pid	Process
4688	ctfmom.exe

Loads dropped DLL 2 IoCs

pid	Process
4688	ctfmom.exe
4688	ctfmom.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CommCtlr = "c:\\windows\\ctfmom.exe"	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\ctfmom.exe	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe
File created	C:\Windows\command.dll	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe
File opened for modification	\??\c:\windows\RCX4997.tmp	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ctfmom.exe	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe
File opened for modification	C:\Windows\command.dll	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe
File created	C:\Windows\hit32.dll	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1860	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe
1860	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe
4688	ctfmom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4688	ctfmom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4688	1860	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe	89
PID 1860 wrote to memory of 4688	1860	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe	89
PID 1860 wrote to memory of 4688	1860	fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe	89
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56
PID 4688 wrote to memory of 3504	4688	ctfmom.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fee0cf8b5f5718349a315107b888dd07_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\windows\ctfmom.exe
    "C:\windows\ctfmom.exe" c:\users\admin\appdata\local\temp\fee0cf8b5f5718349a315107b888dd07_jaffacakes118.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:8
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\command.dll

Filesize
129KB

MD5
816f70fdace8259f05f4ab291d3bf180

SHA1
f306db9f7280be1b5928fff6008dbfad5196d05d

SHA256
99aa2b7541d7f422fa4f82c2893097086bad6e0ed27badbfb463cce00b42871c

SHA512
c5563716e94bea4aec42d83adb97c20ada580e7a2ddcfccb1a0d80ff5eb87def44c1a6997a8992c2beaefa3eb720a0de2c811f5d96387ce8731b2d5d08c6fa4a

Download Submit
C:\Windows\ctfmom.exe

Filesize
89KB

MD5
8e2875cc571e8b78f1021edd5d7dd733

SHA1
2c03204f8c2c36ccd6ddadeec6c231242357d503

SHA256
026a882e5a9360601afeca543f65895c75061461e95c2b00a7fa651d4a3ca9a9

SHA512
a1288c90ae073e4eca64052136375cd66f8b2fdad0b54edfc56d920f326bcb770a70dd38b2ca624f5772406be954ea54d721ac76d1ae4e591feb9412d4af9836

Download Submit
C:\Windows\hit32.dll

Filesize
327B

MD5
3cee3e31246c166bd50bd6700886d2b8

SHA1
f8d15f5079565a43795732d941a818e9b0617f9d

SHA256
b82e12f3eceb549cfe8b2077011dd1d0b266eaf60b8aebeac8936d3d2f9be854

SHA512
e8065a6f0602abb2decf2a82992ea8908dd15a8c037388d3da43cf739838d8725675a86cac50a29c6c178aff16ce91deb81362ef3e23d08a48ba2da0e0e44e83

Download Submit
memory/1860-40-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4688-45-0x0000000000680000-0x00000000006A5000-memory.dmp

Filesize
148KB

Download
memory/4688-46-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4688-47-0x0000000000680000-0x00000000006A5000-memory.dmp

Filesize
148KB

Download
memory/4688-73-0x0000000000680000-0x00000000006A5000-memory.dmp

Filesize
148KB

Download