3383ace21aabb2cf807dcb3ac550ecbc023107c1a1814a9619d26355da072e9c

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10da84fe23609d968a64c7ce7b35b44e_JaffaCakes118.exe
Size

271KB
MD5

10da84fe23609d968a64c7ce7b35b44e
SHA1

72604682971043c238ec558350486f7d501dc87f
SHA256

3383ace21aabb2cf807dcb3ac550ecbc023107c1a1814a9619d26355da072e9c
SHA512

7d622e566bd0ca70b72a20f76474943773410b8a367c6e794391a0b3cfbd5968462b209545c779538b2c338db6daa36cd0ce6c9dd385f27a4ba9bc5e2774dbfc
SSDEEP

6144:d6YajbofxCv9tJBnFhR4ol/hvth6Qn/PCOxT+bVAFCFWjlyCNtzDs:rWlXBq2vth1zZ+JqyWtzDs

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	rinst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	10da84fe23609d968a64c7ce7b35b44e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3992	rinst.exe
1212	bpk.exe

Loads dropped DLL 3 IoCs

pid	Process
1212	bpk.exe
3588	NOTEPAD.EXE
1344	10da84fe23609d968a64c7ce7b35b44e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe"	bpk.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pk.bin	bpk.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\bpk.exe	rinst.exe
File created	C:\Windows\SysWOW64\bpkhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10da84fe23609d968a64c7ce7b35b44e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpk.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	rinst.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3588	NOTEPAD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1212	bpk.exe
1212	bpk.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe
1212	bpk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 3992	1344	10da84fe23609d968a64c7ce7b35b44e_JaffaCakes118.exe	82
PID 1344 wrote to memory of 3992	1344	10da84fe23609d968a64c7ce7b35b44e_JaffaCakes118.exe	82
PID 1344 wrote to memory of 3992	1344	10da84fe23609d968a64c7ce7b35b44e_JaffaCakes118.exe	82
PID 3992 wrote to memory of 3588	3992	rinst.exe	83
PID 3992 wrote to memory of 3588	3992	rinst.exe	83
PID 3992 wrote to memory of 3588	3992	rinst.exe	83
PID 3992 wrote to memory of 1212	3992	rinst.exe	84
PID 3992 wrote to memory of 1212	3992	rinst.exe	84
PID 3992 wrote to memory of 1212	3992	rinst.exe	84

C:\Users\Admin\AppData\Local\Temp\10da84fe23609d968a64c7ce7b35b44e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10da84fe23609d968a64c7ce7b35b44e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\RarSFX0\Belge.txt
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:3588
- - C:\Windows\SysWOW64\bpk.exe
    C:\Windows\system32\bpk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Belge.txt

Filesize
27B

MD5
8dd0d74e44b169317914020164853fbb

SHA1
e82ce568f543ae8584aaaed604017fdd74e403a2

SHA256
20f72f9c23499928a70f04e601a8dd0060d45dbd66759447e065667388fc529f

SHA512
eef28cd87878024eadb47a9acfeaddf247965793eef494d0bc79049288115b5aebdeb80b6f90f6fea69a525876306ed545d34465bce3444a8b3c05fa46e570a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe

Filesize
408KB

MD5
98162ca1898b75f3aa55f97d7b649948

SHA1
5fba0256ad7087e216634490997f093d952ab81c

SHA256
316cd371787019e472cddafd26680d8e0ad2963b36720640fa105a1f88a326d2

SHA512
a3a0fcf98b066061b23b918b573e9a1cce65458952decdb1dbcfe99563cb0d25c7d89d30c97984a3b49a70b73cc4622a83457a30c0cbf48abece5a8fff7827c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

Filesize
21KB

MD5
fa278a9447abb8245974d7e1de6e97ce

SHA1
8f0c279e8bdce2a9c4b1dee0ce34db62fe77944d

SHA256
bc065436def1e09551101603de599e4aa142d27746b0ae98314c325b51a48506

SHA512
cbda4fcac206ce37b2ef8c120527dd89c7ad9d906b9ece6b9a0eab1b53a6ab943d3ca14d09adee41bc95fcebc7cbb084b4a37a647dd96a1b1984f1f043ad7e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
1KB

MD5
62b83c038c0555ba83b71cbd87cda1ac

SHA1
20a0689110f0d36865f2efb806531ad43befd458

SHA256
6ed711d24c0b7c1282f6feb99f549d870347f0f03873841402edf0c9975e21b4

SHA512
b6759de369d643cee9a8c9baf6dae512aef0292997951ca8345ad2bf17d75af1ffdbf0c775519f737d741faeb3a98cca5f54f1338a152bd420b685e5d7b6bdf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
7KB

MD5
a88c7a335d3df5a038b8881fd90b1100

SHA1
38305e48ea8fb96a1761050c58c33a77826cfef0

SHA256
ed7782a786dbe1ad0d3bf18500a1a94ef2dc8068a037db1c61718d1116404cab

SHA512
ec64dd70364999b57237abbf5f4fc941c58cbb9c3285decc77f4e7a9f2800d1a9943c3af787e54eec934b2c5f668a5711e6518e59796d0dcc568ed48edfb1ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
C:\Windows\SysWOW64\bpk.exe

Filesize
408KB

MD5
a635bc1492e4c39ef47ed617d3dfe491

SHA1
353ae5d543aee4bd2084798308a82361336b34fb

SHA256
cd06f57e2e2956c634f851eb92666e9e24557fffbfcd098686e3d7fe03d8ffed

SHA512
e152eaaebc4a6a48d32ed2382e048f171d35200d1654cfb241f57612b655e921b8645e700f011d3638fda4bbc7f50e90ebdc24398664a9e553540b15a006b226

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
7KB

MD5
ed3702ae7b85b79b86bf34bca473c30d

SHA1
2edf431cc62c05f79c7e0be5ddbfa57145aeecc7

SHA256
790970587cd36f3714d30c6364df455aba6d0e8613818a9869714da4e9541361

SHA512
b15b2165d7c04da23f931d4febac4306e0fa09801ee350d67c61fcf03dc18a0c3c020cb38689ea0ba0db582e900fd806b6d8f02e8fa0411f99327667b7af81c9

Download Submit
memory/1344-41-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads