09b671e8aa1fe9649e162e9e2826e582a979117270f5d12cab6754813b2feb87

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Size

42KB
MD5

12e21b66009632c9a7c68ea56c4f31a6
SHA1

138710a8f7d1db8be79347aafd5ea05efccbf430
SHA256

09b671e8aa1fe9649e162e9e2826e582a979117270f5d12cab6754813b2feb87
SHA512

7505186ccc3cd37d248e582fb44c7ca10c9019b00f1fb2fcfa11e69c02608fdf62ea9eefdcc66f4ff68f3499410997a3409bd08105463c56ca7bd282dd8981d9
SSDEEP

768:IcGUmbtwHyyE1J4JCKNiQdfcidlB9BOyjMZd:IFb6ylyo2B9J+

Score

7^/10

defense_evasion discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00090000000234b3-3.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234b3-3.dat	upx
behavioral2/memory/4488-4-0x0000000010000000-0x0000000010012000-memory.dmp	upx
behavioral2/memory/4488-8-0x0000000010000000-0x0000000010012000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fOnts\MhaUKGazkr3fZZKp.Ttf	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
File opened for modification	C:\Windows\fonts\fyrwJf5Qfhh.fon	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{15882A2F-A06D-486E-8958-E84C86CBF273}\InprocServer32	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15882A2F-A06D-486E-8958-E84C86CBF273}	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15882A2F-A06D-486E-8958-E84C86CBF273}\InprocServer32	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15882A2F-A06D-486E-8958-E84C86CBF273}\InprocServer32\ = "C:\\Windows\\fonts\\fyrwJf5Qfhh.fon"	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15882A2F-A06D-486E-8958-E84C86CBF273}\InprocServer32\ThreadingModel = "Apartment"	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
Token: SeDebugPrivilege	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 320	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe	82
PID 4488 wrote to memory of 320	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe	82
PID 4488 wrote to memory of 320	4488	12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12e21b66009632c9a7c68ea56c4f31a6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\12E21B~1.EXE >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\fyrwJf5Qfhh.fon

Filesize
18KB

MD5
19efd3c5588ca8ae6869d07d3297b912

SHA1
2e6753d99f67d0d24087875f9ffcdfe4a0ede063

SHA256
9bdc6752f72f3452c2029e2ee9fe5875005a8346dcebbcd6ca8f306a6b4cd603

SHA512
e4cdd191ca525808976b4e67ed92212896358661aa59daf99570c0467132b44a5a9cadad67af187c22f62ae6b59e2020e42dbdf4d23e789fd8a2656c7f2182b4

Download Submit
memory/4488-4-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4488-8-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download