2ce54a4eaa2797dbb6b4db24b0330a4bb876623985002ebcacb33a38933adb1e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dfff1e2765b936c82face3548aeb606f.exe
Size

1.6MB
MD5

dfff1e2765b936c82face3548aeb606f
SHA1

6ddeaee7236ae76360d92ed61c9feee80683bfce
SHA256

2ce54a4eaa2797dbb6b4db24b0330a4bb876623985002ebcacb33a38933adb1e
SHA512

9ae12c51b5547da58774803e40daf78dacf13c05dbefb8521743c45f8a872f26e93a58fa7279c77b623c0ca0539d19a0438a4fd665999bd8f09bfe6b294aa062
SSDEEP

24576:1hCMVtjsoPi6Q5ygaNvct0R7Si6SpsoLyVql/oxLQPVVPtzzZHKbSDar0cSRZ:u4ZlQEXDHLRlFPlDa5U

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_dfff1e2765b936c82face3548aeb606f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	msnmsgr.exe

Executes dropped EXE 4 IoCs

pid	Process
3652	msnmsgr.exe
4396	troyano.exe
2896	DOS ATTACK.exe
348	troyano.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4396 set thread context of 348	4396	troyano.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2324	348	WerFault.exe	89
1564	348	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	troyano.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dfff1e2765b936c82face3548aeb606f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4396	troyano.exe
Token: SeDebugPrivilege	2896	DOS ATTACK.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 3652	1164	JaffaCakes118_dfff1e2765b936c82face3548aeb606f.exe	83
PID 1164 wrote to memory of 3652	1164	JaffaCakes118_dfff1e2765b936c82face3548aeb606f.exe	83
PID 1164 wrote to memory of 3652	1164	JaffaCakes118_dfff1e2765b936c82face3548aeb606f.exe	83
PID 3652 wrote to memory of 4396	3652	msnmsgr.exe	84
PID 3652 wrote to memory of 4396	3652	msnmsgr.exe	84
PID 3652 wrote to memory of 4396	3652	msnmsgr.exe	84
PID 3652 wrote to memory of 2896	3652	msnmsgr.exe	85
PID 3652 wrote to memory of 2896	3652	msnmsgr.exe	85
PID 4396 wrote to memory of 1820	4396	troyano.exe	86
PID 4396 wrote to memory of 1820	4396	troyano.exe	86
PID 4396 wrote to memory of 1820	4396	troyano.exe	86
PID 1820 wrote to memory of 1556	1820	csc.exe	88
PID 1820 wrote to memory of 1556	1820	csc.exe	88
PID 1820 wrote to memory of 1556	1820	csc.exe	88
PID 4396 wrote to memory of 348	4396	troyano.exe	89
PID 4396 wrote to memory of 348	4396	troyano.exe	89
PID 4396 wrote to memory of 348	4396	troyano.exe	89
PID 4396 wrote to memory of 348	4396	troyano.exe	89
PID 4396 wrote to memory of 348	4396	troyano.exe	89
PID 4396 wrote to memory of 348	4396	troyano.exe	89
PID 4396 wrote to memory of 348	4396	troyano.exe	89
PID 4396 wrote to memory of 348	4396	troyano.exe	89
PID 4396 wrote to memory of 348	4396	troyano.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfff1e2765b936c82face3548aeb606f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfff1e2765b936c82face3548aeb606f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164
- C:\ProgramData\evimMmxrKHdzY\QMYoEZNWtoSUBVai\4.16.43.8773\msnmsgr.exe
  "C:\ProgramData\evimMmxrKHdzY\QMYoEZNWtoSUBVai\4.16.43.8773\msnmsgr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\troyano.exe
    "C:\Users\Admin\AppData\Local\Temp\troyano.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2pqsxxbw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC380.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC37F.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
  - - C:\Users\Admin\AppData\Roaming\troyano.exe
      C:\Users\Admin\AppData\Roaming\troyano.exe
      4⤵
      Executes dropped EXE
      PID:348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 12
        5⤵
        Program crash
        
        PID:2324
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 20
        5⤵
        Program crash
        
        PID:1564
- - C:\Users\Admin\AppData\Local\Temp\DOS ATTACK.exe
    "C:\Users\Admin\AppData\Local\Temp\DOS ATTACK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 348 -ip 348
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 348 -ip 348
1⤵
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\evimMmxrKHdzY\QMYoEZNWtoSUBVai\4.16.43.8773\msnmsgr.exe

Filesize
1.2MB

MD5
38689c5694a178ccee984f58e16072d5

SHA1
9945542de49da6e96895694e6c27358a2899a1f1

SHA256
d14c631d8120370754169a8ffb07cc2c7d71b2fead1608ead673490f05cec6c7

SHA512
7579f990393c2a48bcf00ffab3ad5068fc9ee33bc97696f171dccacf18e702d9f2dddae23e697b17a307f74d1f714374c298599eecdc9e6795601dbbef400891

Download Submit
C:\Users\Admin\AppData\Local\Temp\2pqsxxbw.dll

Filesize
5KB

MD5
3b4eeedfb5cd1f19e8d51d60da8056c9

SHA1
75ce4dc91f847f5d8247606e34d903ed0e60f709

SHA256
d2a2b26b8a156a1b0400415b321e7349c6227f0a7e027e59e375964999d7cd54

SHA512
167ed9002457bc097ea43288689fbf528fb48b72386c3fcad31a27f39ead530d15d1c428c9784e127ab49d8f75bd61a8833aa4c8f90426c5f0378e7ecea3cf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOS ATTACK.exe

Filesize
131KB

MD5
faafa578dfc33a3a8c290fa2040136e4

SHA1
d2f97924a28439661408f5797d1d15a5d46b8a7a

SHA256
094ab867b47a5bec78c5cfc7ec00e1fe05f51c5b0210627eaaf522d82d76daae

SHA512
77286fc725fe980cff695f073fb136a5d76df476e3d9a16d32f0ff930331422a040c8e28debdad09183322b0bb9203d40b439688f7b608e7f685d4a108359940

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC380.tmp

Filesize
1KB

MD5
8c8b384ceb7416a5a32ca236893299d2

SHA1
78c5de1429bd1d519163f2793185cf8e706909d9

SHA256
5de09f862a8d10f52536bb956b593785acc9896441c611f90bd8b3384efb4dd6

SHA512
7f42d87723f21ab6723425b4aa158fad2c2bb3d37125c4877174bb1708252cf6a7745cf4865f26d9f28a734c18031dfce15da65b5ec3c7097af7e1aeeaa52870

Download Submit
C:\Users\Admin\AppData\Local\Temp\troyano.exe

Filesize
324KB

MD5
02f6054ae3322982254c1c1c06f9eca2

SHA1
186d5d7e47dcb1c2a6f422d695a1783454c12878

SHA256
e61807e3c30533d5381ba1c8d28eedce44ab52b9b9ac887009e2dda6d507c40d

SHA512
eed36ca26f02d097c6bc1bcab5b0c507c6294d3e3faf363fbebe7438c7b557d24485674ff9063c9ab6506299f36acef39a426f959b57fc60c929b84bad9a93c5

Download Submit
C:\Users\Admin\AppData\Roaming\troyano.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2pqsxxbw.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2pqsxxbw.cmdline

Filesize
206B

MD5
011e17f8577833322a03d56644f970df

SHA1
324ce3dd9b9321cc3942abad06607f139e25c820

SHA256
24e8a3b5d6b216254aa1040c4fcb7a9ce0eb354d5cb7831414ab257490287d5b

SHA512
18b9cb0190abd123b32236d603f52fece06f0b08c540ad12463f68461e1947c3a880d7bdf65abec34eb371f2bf20e9c1bc36b5890e85f576dad24c27b0e891de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC37F.tmp

Filesize
652B

MD5
a9c3b15a9455b083ade710c5088d0730

SHA1
44983a9a679e938640784373ebb362919e337d10

SHA256
b439990cd94d9e70b8f74f9b3ab748dc7bf9f998a0d6ec842c81113b321dcd52

SHA512
7546442de2672f1424d10f8fa3a1a05f7638f3cac4f5126cc48cb0e9e78c6d393b069bd92c8c344ac876e2ab80bb3bf0161eba68040a7b5068483cec9d7f7c2f

Download Submit
memory/1164-2-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1164-18-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1164-1-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1164-0-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/2896-45-0x000000001C3E0000-0x000000001C8AE000-memory.dmp

Filesize
4.8MB

Download
memory/2896-51-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/2896-52-0x000000001BE70000-0x000000001BE78000-memory.dmp

Filesize
32KB

Download
memory/2896-49-0x000000001C8B0000-0x000000001C94C000-memory.dmp

Filesize
624KB

Download
memory/2896-68-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/3652-43-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3652-17-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3652-20-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3652-16-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4396-50-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4396-44-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4396-67-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download