7ddd90dbdeba4bdb4168b269265aab27653b979558d6729f1680b2034b003e6a

Analysis

max time kernel
143s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42a059bf2af7d40d08cc3420b462420a_JaffaCakes118.exe
Size

1.4MB
MD5

42a059bf2af7d40d08cc3420b462420a
SHA1

b868b3f760ae9a2332daf5ca21d553c0b3c54adb
SHA256

7ddd90dbdeba4bdb4168b269265aab27653b979558d6729f1680b2034b003e6a
SHA512

3bcf6e63eda8a0f9a7ba508faab1899061f1b1c59e469b3d78eb0afa43f7314d34574026dbdc373d89f1b80ef45ef72338a95bbfee4054bc7f5879ac81b35035
SSDEEP

24576:M1am5ThkMg79mC14fBi0CpQPSgZ5Ae59H3cWfnYLLFQmXZw1wi9D9E2A4:cd59kJ14QpAFwAHJfnYnCmpwai9D9TA4

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	42a059bf2af7d40d08cc3420b462420a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ok.exe

Executes dropped EXE 4 IoCs

pid	Process
1176	1312.exe
1652	ok.exe
2904	temp.exe
3952	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1312.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\program files\common files\microsoft shared\msinfo\1312.jpg	42a059bf2af7d40d08cc3420b462420a_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	temp.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	temp.exe
File created	C:\Windows\uninstal.bat	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42a059bf2af7d40d08cc3420b462420a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	temp.exe
Token: SeDebugPrivilege	3952	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3952	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 1176	3536	42a059bf2af7d40d08cc3420b462420a_JaffaCakes118.exe	85
PID 3536 wrote to memory of 1176	3536	42a059bf2af7d40d08cc3420b462420a_JaffaCakes118.exe	85
PID 3536 wrote to memory of 1176	3536	42a059bf2af7d40d08cc3420b462420a_JaffaCakes118.exe	85
PID 1176 wrote to memory of 1652	1176	1312.exe	87
PID 1176 wrote to memory of 1652	1176	1312.exe	87
PID 1176 wrote to memory of 1652	1176	1312.exe	87
PID 1652 wrote to memory of 2904	1652	ok.exe	88
PID 1652 wrote to memory of 2904	1652	ok.exe	88
PID 1652 wrote to memory of 2904	1652	ok.exe	88
PID 3952 wrote to memory of 2892	3952	Hacker.com.cn.exe	90
PID 3952 wrote to memory of 2892	3952	Hacker.com.cn.exe	90
PID 2904 wrote to memory of 2556	2904	temp.exe	92
PID 2904 wrote to memory of 2556	2904	temp.exe	92
PID 2904 wrote to memory of 2556	2904	temp.exe	92

C:\Users\Admin\AppData\Local\Temp\42a059bf2af7d40d08cc3420b462420a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42a059bf2af7d40d08cc3420b462420a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3536
- C:\program files\common files\microsoft shared\msinfo\1312.exe
  "C:\program files\common files\microsoft shared\msinfo\1312.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ok.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ok.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\temp.exe
      "C:\Users\Admin\AppData\Local\Temp\temp.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\1312.exe

Filesize
1.0MB

MD5
d2a4b27819ead33e05154a09067f18d4

SHA1
aa0b1d1e88a2dbd94d70a8b1ba1d13a3a8964fbf

SHA256
5a0fac50f6eb9db3baa266987d5f1c06fc928980ff606cc6e1f23a0cb1d59617

SHA512
3ab9f918953696518275d40d34da1dc844d38a58234d1d066b84a06f4bbdd21202b1a58ba0c6c33f1169be6170cdb58dd96bbf81ca9b18560e1afadc4f858e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ok.exe

Filesize
1.2MB

MD5
679beb9a2b549c35479560a450681b05

SHA1
d839ebc3e09b7553b45bf71bd7ad760543cd5dae

SHA256
beeecba23767a74640525c564074b00b374ef8dda1c10107de6a0aa4699a8adf

SHA512
b320b3ec31fe531fdfb35fafe9831b43a125c895ce913a6e53d9e2f3436cfd3ae66b5d3c91e8dfdc9d1cf7372ad1fe5d1109475f2b851e2f09d2e3e278002ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
794KB

MD5
6352d02da2715a1a6c15cd892a032826

SHA1
1bee228b6ff6a3d9eb75005010ba74383cf3f48a

SHA256
43dfff96b9659adff444f1e8d0549820977cbcca4fa202b8f814dfec5d27a11d

SHA512
6b9183907f2f05fb41dbaf13475463af6f099c3ee6d662943344572fb6623bc7d23c18c77da03f2b45fde4e4caf7df836d2e06899a9f083bf5de24322c8fa6bd

Download Submit
C:\Windows\uninstal.bat

Filesize
134B

MD5
d844dfb0f997e4d32cdb6dafa4d7717a

SHA1
eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec

SHA256
0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a

SHA512
fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5

Download Submit
memory/1176-64-0x0000000001000000-0x0000000001431000-memory.dmp

Filesize
4.2MB

Download
memory/1176-65-0x0000000001000000-0x0000000001431000-memory.dmp

Filesize
4.2MB

Download
memory/1176-83-0x0000000001000000-0x0000000001431000-memory.dmp

Filesize
4.2MB

Download
memory/1652-71-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/1652-80-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2904-88-0x0000000000400000-0x00000000004D1006-memory.dmp

Filesize
836KB

Download
memory/3536-35-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/3536-25-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3536-4-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/3536-3-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/3536-2-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3536-31-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3536-30-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3536-47-0x00000000034E0000-0x00000000034E2000-memory.dmp

Filesize
8KB

Download
memory/3536-44-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-43-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-42-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-41-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-40-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-49-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/3536-50-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3536-48-0x00000000034D0000-0x00000000034D5000-memory.dmp

Filesize
20KB

Download
memory/3536-39-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-38-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/3536-37-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/3536-36-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/3536-5-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/3536-34-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/3536-33-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3536-32-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3536-28-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3536-27-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3536-26-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3536-8-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3536-24-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3536-23-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-22-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-21-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-20-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-19-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-17-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-13-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-12-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-29-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3536-18-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-16-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-15-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-14-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-11-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3536-10-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-6-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3536-7-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/3536-9-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3536-1-0x0000000002320000-0x0000000002374000-memory.dmp

Filesize
336KB

Download
memory/3536-0-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-51-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-62-0x0000000002320000-0x0000000002374000-memory.dmp

Filesize
336KB

Download
memory/3536-61-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/3952-90-0x0000000000400000-0x00000000004D1006-memory.dmp

Filesize
836KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads