b71f451bb63ebee58ff1c8e2434654cfc004c143bcddc3eb044b29049a5f551b

Analysis

max time kernel
139s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe
Size

4.7MB
MD5

4590494f9328fe44f8753ac8595f490f
SHA1

a3afdf333908d33c8482095852110ec9a8d11cf2
SHA256

b71f451bb63ebee58ff1c8e2434654cfc004c143bcddc3eb044b29049a5f551b
SHA512

be41d223554da49c369fdfeab27d0eec3311c0a8ba2fcf42b1b54e4442bd08e75a75360aaae4af885635c4b9adc6834bcdffb897d6ce3c2bc4ef444b64a88ce0
SSDEEP

98304:L3QoOkhuiUj2vokyZczYhKtgp0LqSrQwnvru/k:L3QoO7ZcP+Sd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2640	wins.exe
3424	wins.exe
3964	5543

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\queries-06.cache	wins.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\nodes.dat.download	wins.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe	4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe	4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\queries-02.cache	wins.exe
File opened for modification	C:\Windows\SysWOW64\config\SYSTEM~1\AppData\Local\WINDOW~1\QUERIE~2.CAC	wins.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\queries-07.cache	wins.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\queries-07.cache	wins.exe
File opened for modification	C:\Windows\SysWOW64\config\SYSTEM~1\AppData\Local\WINDOW~1\QUERIE~1.CAC	wins.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\queries-03.cache	wins.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service	wins.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\known2_64.met	wins.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\known2_64.met	wins.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wins.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wins.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5543
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\UserEvents\OutOfDiskSpace\CoreCommand	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\ServerKeepAliveTimeout = "0"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\FilterLevel = "127"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\FilterAllMessages = "0"	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\UserEvents\ErrorOnCompletion\CoreCommand	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\Statistics\TotalDownloadedBytes = "0"	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\DateTimeFormat = "%A, %x, %X"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\ShareHiddenFiles = "0"	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\Proxy\ProxyName	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\Proxy\ProxyUser	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\FileBufferSizePref = "16"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\DAPPref = "1"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\ToolTipDelay = "1"	wins.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\aMule\SkinGUIOptions	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\Obfuscation\CryptoKadUDPKey = "1062501445"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\statsInterval = "30"	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\UserEvents\ErrorOnCompletion\GUICommand	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\MaxConnectionsPerFiveSeconds = "20"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\Proxy\ProxyEnablePassword = "0"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\ConnectToED2K = "1"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\FilterLanIPs = "1"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\ParanoidFiltering = "1"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\SplitterbarPosition = "75"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\Proxy\ProxyType = "0"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\AutoConnectStaticOnly = "0"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\OnlineSignatureUpdate = "5"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\MessageFromValidSourcesOnly = "1"	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\KadNodesUrl = "http://upd.emule-security.net/nodes.dat"	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\Ed2kServersUrl = "http://gruk.org/server.met.gz"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\MaxDownload = "0"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\Autoconnect = "1"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\Serverlist = "1"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\FullChunkTransfers = "1"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\SkinGUIOptions\UseSkinFiles = "0"	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\VideoPlayer	wins.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\aMule\Statistics	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\FilterComments = "0"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\AICHTrust = "0"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\VerticalToolbar = "0"	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\UserEvents\DownloadCompleted\CoreCommand	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\QueueSizePref = "50"	wins.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\aMule\Razor_Preferences	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\StatsAverageMinutes = "5"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\UserEvents\ErrorOnCompletion\GUIEnabled = "0"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\Obfuscation\CryptoPaddingLenght = "254"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\Reconnect = "1"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\ConnectToKad = "1"	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\ExternalConnect\ECAddress	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\SeeShare = "2"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\MessagesFromFriendsOnly = "0"	wins.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\aMule\Obfuscation	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\UserEvents\NewChatSession\CoreEnabled = "0"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\EnableTrayIcon = "0"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\FilterWordMessages = "0"	wins.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\aMule\UserEvents	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\UserEvents\DownloadCompleted\GUICommand	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\CheckDiskspace = "1"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\WebServer\PageRefreshTime = "120"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\MinToTray = "0"	wins.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\aMule\UserEvents\OutOfDiskSpace\GUICommand	wins.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\aMule\Browser	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\Proxy\ProxyPort = "1080"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\DeadServerRetry = "3"	wins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\aMule\eMule\StartNextFileSameCat = "0"	wins.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\crutch	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\crutch\LocalService = "Windows Internet Name Service"	wins.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2764	4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe
2764	4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe
2764	4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe
2764	4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe
2640	wins.exe
2640	wins.exe
2640	wins.exe
2640	wins.exe
3424	wins.exe
3424	wins.exe
3424	wins.exe
3424	wins.exe
3424	wins.exe
3424	wins.exe
3424	wins.exe
3424	wins.exe
3964	5543
3964	5543
3964	5543
3964	5543
3964	5543
3964	5543
3964	5543
3964	5543

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2640	2764	4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe	84
PID 2764 wrote to memory of 2640	2764	4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe	84
PID 2764 wrote to memory of 2640	2764	4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe	84
PID 3424 wrote to memory of 3964	3424	wins.exe	89
PID 3424 wrote to memory of 3964	3424	wins.exe	89
PID 3424 wrote to memory of 3964	3424	wins.exe	89
PID 3964 wrote to memory of 4140	3964	5543	90
PID 3964 wrote to memory of 4140	3964	5543	90
PID 3964 wrote to memory of 4140	3964	5543	90

C:\Users\Admin\AppData\Local\Temp\4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4590494f9328fe44f8753ac8595f490f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe
  "C:\Windows\system32\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe" /Service
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2640

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe
"C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\TEMP\5543
  "C:\Windows\TEMP\5543" -u "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\TEMP\5546.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\known2_64.met

Filesize
1B

MD5
9e688c58a5487b8eaf69c9e1005ad0bf

SHA1
c4ea21bb365bbeeaf5f2c654883e56d11e43c44e

SHA256
dbc1b4c900ffe48d575b5da5c638040125f65db0fe3e24494b76ea986457d986

SHA512
fab848c9b657a853ee37c09cbfdd149d0b3807b191dde9b623ccd95281dd18705b48c89b1503903845bba5753945351fe6b454852760f73529cf01ca8f69dcca

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe

Filesize
4.7MB

MD5
4590494f9328fe44f8753ac8595f490f

SHA1
a3afdf333908d33c8482095852110ec9a8d11cf2

SHA256
b71f451bb63ebee58ff1c8e2434654cfc004c143bcddc3eb044b29049a5f551b

SHA512
be41d223554da49c369fdfeab27d0eec3311c0a8ba2fcf42b1b54e4442bd08e75a75360aaae4af885635c4b9adc6834bcdffb897d6ce3c2bc4ef444b64a88ce0

Download Submit
C:\Windows\TEMP\5546.bat

Filesize
112B

MD5
c6fd74aa48b8e4c621251eb01a570bee

SHA1
dd57c54d346978fe2be845639a94e23c01f6a9fd

SHA256
f90fe889018566f0565184f8d0dc205c0c1062f59d5757e6acfbace8e001df53

SHA512
03d38c61d08946c48ce2ba7b162d455d2cb15bed0eaa95e7ae250f3f02b504494663a617e1fe1e9b143f0f3465a7072e40d3050e9bc69a2eae3cfdfd4d203190

Download Submit