Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 07:50
Static task
static1
Behavioral task
behavioral1
Sample
00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
00ce7682023686f4c1336fdcfccf50d2
-
SHA1
9644ba92a81872785be50ea81de3a74eebd9fc10
-
SHA256
4bcd7342dcbd048d14c7eadb7c42a467895ffacd5ebd8af69e9643d1866b3217
-
SHA512
02b0785fc497700984fc477ca4cce8a13105341f7b4b1ee0287a0fa1d2797eb3ba1a8843715787348a34dcb6d5b87b02d8f48d657646dd7de30c02f26caba39b
-
SSDEEP
98304:p7SpxSV7vi8Eody/CKKKXbEN5bB+PU+zWveiX:p7SpxGzi89dGV5g5b4VzXiX
Malware Config
Signatures
-
resource behavioral2/files/0x000800000002323e-16.dat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation 00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1584 wrote to memory of 5004 1584 00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe 88 PID 1584 wrote to memory of 5004 1584 00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe 88 PID 1584 wrote to memory of 5004 1584 00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe 88 PID 5004 wrote to memory of 2896 5004 cmd.exe 91 PID 5004 wrote to memory of 2896 5004 cmd.exe 91 PID 5004 wrote to memory of 2896 5004 cmd.exe 91 PID 2896 wrote to memory of 2580 2896 cmd.exe 93 PID 2896 wrote to memory of 2580 2896 cmd.exe 93 PID 2896 wrote to memory of 2580 2896 cmd.exe 93 PID 2580 wrote to memory of 5036 2580 WScript.exe 94 PID 2580 wrote to memory of 5036 2580 WScript.exe 94 PID 2580 wrote to memory of 5036 2580 WScript.exe 94 PID 5036 wrote to memory of 1092 5036 cmd.exe 96 PID 5036 wrote to memory of 1092 5036 cmd.exe 96 PID 5036 wrote to memory of 1092 5036 cmd.exe 96 PID 5036 wrote to memory of 1076 5036 cmd.exe 97 PID 5036 wrote to memory of 1076 5036 cmd.exe 97 PID 5036 wrote to memory of 1076 5036 cmd.exe 97 PID 5036 wrote to memory of 432 5036 cmd.exe 98 PID 5036 wrote to memory of 432 5036 cmd.exe 98 PID 5036 wrote to memory of 432 5036 cmd.exe 98 PID 5036 wrote to memory of 3960 5036 cmd.exe 99 PID 5036 wrote to memory of 3960 5036 cmd.exe 99 PID 5036 wrote to memory of 3960 5036 cmd.exe 99 PID 5036 wrote to memory of 1372 5036 cmd.exe 100 PID 5036 wrote to memory of 1372 5036 cmd.exe 100 PID 5036 wrote to memory of 1372 5036 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\lettera\prog\ini.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\lettera\prog\ini.bat" HIDE-BOSS3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\lettera\prog\RunVBS.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\lettera\prog\ini.bat" BOSS"5⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f6⤵PID:1092
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f6⤵PID:1076
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f6⤵PID:432
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f6⤵PID:3960
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v TaskbarGlomLevel /t REG_DWORD /d 2 /f6⤵PID:1372
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98B
MD56ba5f2c66500f7c255886fc8fe1024ce
SHA10b74e63957018f065e77c91ee1ca838480534e17
SHA256fbfe882314562a3b734d59112b139e70ddd4ae91ef6292032b251ff368fa475d
SHA512d594cf7dd31e46ea5e6c39d34c2e4b6e1241ef665367178346aaceafa073b379d0058c45e922ae12006ed8e4a72cae64ccde1f90fe228cc6ff7abccc552849b9
-
Filesize
1KB
MD5d9806cc5878f4c4df79094a771a57991
SHA1635a7d4af9b43054b750e04ecdf14f17ec2b218f
SHA2565cd72ab78086b4980871f5a5208909ee18e88498d28d7878d27a24d932536db0
SHA512e051654a48dd1040d85aefc316f3c2a5e949600199f93e915e79cf874e2c2ea18062293678eeef85ceb69a25ca73f3ca617e94246893d09bc8f14b1edea64a6d
-
Filesize
2.9MB
MD5936ae0760d92e80cbd5aef52950219f8
SHA1048f390894bd63abdc2a9984c03818b55510ca5c
SHA256747b3d3db26b9c9dbc05f60f786fb8a7fa14526e8be110b95cf7fb13807c1e2d
SHA512449b4a4b470469eb0a88ad4ed5127be9fb9c34a4c0075e2298b5580a601f30166f17ada7842aa77c1b413c942b5563c9668cb258ca7b9d9cac805399be18f729
-
Filesize
7.1MB
MD5880d94d79321d0ac19540779ec386f91
SHA128518b27e583cef182a77014c8b4becdccd558de
SHA256293011f58b23fb22fd5b568e34593ea5712870616b0e60b1c0be2dac3c788566
SHA512b6e461f9f3c0eb4e0282ee4f220197ba416c3793b9dffe42c4c5c86b8231adabc5bddda9d1267e57150b25b046e3faa4e7a0d81cedf0278a64c09b45aa55e939