da117b939722264f7a9d56c6f59f9e1a2810c3a8eccb8d58ec8ed4c6eacdac96

Analysis

max time kernel
140s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe
Size

4.1MB
MD5

427d009c80a1f92ec530aa6202e6da9b
SHA1

118911522b5311109ced7c3dac1cf93d43e02923
SHA256

da117b939722264f7a9d56c6f59f9e1a2810c3a8eccb8d58ec8ed4c6eacdac96
SHA512

1be482180ce8617822e6629698805af72b4c2e5b07cfedd93bf88fbb0c709bd92dd0ec2613e0f23fba253e467a611c37160d9639edf5efb59de1b558efb5bdf1
SSDEEP

98304:hK70t/anRuMNRWUHrTmFVhKOqlHh4HCKnlAI92ZoSdBsg2Hd:hKY+AL2HhMXnKI+2gsd

Score

7^/10

discovery persistence upx vmprotect

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023bca-20.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	update.exe

Executes dropped EXE 2 IoCs

pid	Process
4460	update.exe
1096	yanhuang.exe

Loads dropped DLL 2 IoCs

pid	Process
3288	rundll32.exe
3288	rundll32.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000d000000023b4e-16.dat	vmprotect
behavioral2/memory/1096-31-0x0000000000400000-0x0000000000BB2000-memory.dmp	vmprotect
behavioral2/memory/1096-40-0x0000000000400000-0x0000000000BB2000-memory.dmp	vmprotect
behavioral2/memory/1096-49-0x0000000000400000-0x0000000000BB2000-memory.dmp	vmprotect

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sfcos.dll	update.exe
File created	C:\Windows\SysWOW64\wrtemp	update.exe
File created	C:\Windows\SysWOW64\dsoundtemp	update.exe
File opened for modification	C:\Windows\SysWOW64\8CBF.tmp	update.exe
File created	C:\Windows\SysWOW64\sfcos.dll	update.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1096	yanhuang.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023bc9-6.dat	upx
behavioral2/memory/4460-14-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/files/0x0009000000023bca-20.dat	upx
behavioral2/memory/4460-39-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3288-44-0x0000000010000000-0x0000000010015000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yanhuang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 4460	1180	427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe	86
PID 1180 wrote to memory of 4460	1180	427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe	86
PID 1180 wrote to memory of 4460	1180	427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe	86
PID 1180 wrote to memory of 1096	1180	427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe	87
PID 1180 wrote to memory of 1096	1180	427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe	87
PID 1180 wrote to memory of 1096	1180	427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe	87
PID 4460 wrote to memory of 4128	4460	update.exe	88
PID 4460 wrote to memory of 4128	4460	update.exe	88
PID 4460 wrote to memory of 4128	4460	update.exe	88
PID 4460 wrote to memory of 2760	4460	update.exe	90
PID 4460 wrote to memory of 2760	4460	update.exe	90
PID 4460 wrote to memory of 2760	4460	update.exe	90
PID 2760 wrote to memory of 3288	2760	cmd.exe	92
PID 2760 wrote to memory of 3288	2760	cmd.exe	92
PID 2760 wrote to memory of 3288	2760	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\427d009c80a1f92ec530aa6202e6da9b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\update.exe
  "C:\Users\Admin\AppData\Local\Temp\update.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\sfc.exe
    "C:\Windows\system32\sfc.exe" /REVERT
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\del.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\s2am.ime,Runed
      4⤵
      Loads dropped DLL
      Modifies WinLogon
      System Location Discovery: System Language Discovery
      PID:3288
- C:\Users\Admin\AppData\Local\Temp\yanhuang.exe
  "C:\Users\Admin\AppData\Local\Temp\yanhuang.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
34KB

MD5
c40bd1268d27c97e59246274336d6c68

SHA1
51900a6fdfc0430dc405d72461283714e3364d17

SHA256
bf5f3949f47c6fa309ea4d0b168d0037901220773b421fb0e35e21fab473ed4d

SHA512
4bfc6c798f7b581110e7bdfdfb07f8c982a4cd136ac40dc060c1f4bad87149d9d1098a6c2e75be2518cfdfef9a15c6eee493f675d35cc36a126cd4b158e515d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yanhuang.exe

Filesize
4.1MB

MD5
144adcc3d3d715e050656c9b60286137

SHA1
63c53ae824b8eab7105d4cd35db96db11fcf2326

SHA256
0fc1ae6ce552cc1c68675019ba6c6bc95ef412bb61f6e8d7715bd1b9a4713894

SHA512
a6b29bcb28eda995291513ea42d418ef66f816b67cc8e9201c6122ea5ffa2f6498b5b3bf48e6e0c5be26f109f856f8e8100c45e8414de0a3baa06e3fb11b2843

Download Submit
C:\Windows\SysWOW64\8CBF.tmp

Filesize
28KB

MD5
9bc442ab5086bbbae4067fd722afcd7b

SHA1
dddf93214212dc4bd277a1135b4a46fcaf387f8c

SHA256
0619d7116d66cc2a3e94fbcd289e8f3fdc17bd93e08c5e4b3ed8786dd5956d66

SHA512
c6a0a082e72783619d7e4a9b4ab7de6158a336429d99486a383940ca312144ee023ab4b3a8960430ce06cd5328f8e6a478ffc3026970a943472c3fdf2a57bf40

Download Submit
C:\Windows\SysWOW64\dsoundtemp

Filesize
4KB

MD5
e74734d35e56385de26d7877ef34395a

SHA1
0fbedc3043990ce43c87607ed6c79686cb352acf

SHA256
98b73d00985aee2cf76451c63aff1f6b3765ea2f0942427f0fe9731ca98e7083

SHA512
7115be3f75156899e390aff78e1be7f5c6765cac3510f3397012c7e0a6dd9157d0900da5348b6b8a056e1d37fb831e0e80854d517d1e4a779f3b75a3ae962afb

Download Submit
C:\Windows\SysWOW64\sfcos.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
C:\Windows\SysWOW64\wrtemp

Filesize
4KB

MD5
eee106c8c9e0f6f1439f02cbfcafbf9b

SHA1
d8570ace5087d8301c716bb870322444e6982895

SHA256
eb2df7a735be60dafbc99537d215bdb8105f274f614c6c2d39ebada56fe4fe0c

SHA512
2452b5a2469df9513d758e0d3068323a664d03c292701f9ab649ad69aabc1c3dd656ca50e295e154278432ba813f1ead06ce94651b3e3ddf4b9f6a488b0faaf4

Download Submit
\??\c:\del.bat

Filesize
191B

MD5
508cc763357d4a09c0ad32cec2b5fa43

SHA1
9ea098699cc227301677e46465ccd4834f5be256

SHA256
33b7d5025571129f7de4764c0118eff31b40ea5de34fc304ac4922904f5fe1c2

SHA512
edab11ef6cee7d5dfcdcd73882c7471a1b42100e7b05ad8d2fb598f18d7c3d9e3c12085781cf5b94a6111c72cdeb3cefe582f3358b6fbf53a9363510d504f626

Download Submit
memory/1096-49-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/1096-31-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/1096-40-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/1180-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3288-44-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4460-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4460-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads