Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 11:07
Static task
static1
Behavioral task
behavioral1
Sample
040c9179d6a84b05a35dce3143d4e6a0_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
040c9179d6a84b05a35dce3143d4e6a0_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
040c9179d6a84b05a35dce3143d4e6a0_JaffaCakes118.exe
-
Size
9KB
-
MD5
040c9179d6a84b05a35dce3143d4e6a0
-
SHA1
0afdc15498c4dcccc285e74caf9e6877f779ff4f
-
SHA256
a974714ffd005ee1951781e1d554d568aa2ca73d689239956d416e3db27cc156
-
SHA512
930169232aee1e6ad74e313d050b3ce50c90b46e21b18482d3aa7d414a259b3f3ff3e1ba583c10fc2879e85a94c40f343dde5eb22d78294f64792f955e7b469f
-
SSDEEP
96:HRcsHc+ANiu7H/Mu34aVSTmtIjmAa/4OUcRyvN3FtgVmRDxYAhLZlVsbk90O2E1q:QBrpFITpjmAtcA9F2KDeIZlSJUXU
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 040c9179d6a84b05a35dce3143d4e6a0_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation hfdfjdk.exe -
Executes dropped EXE 1 IoCs
pid Process 5080 hfdfjdk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4688 wrote to memory of 5080 4688 040c9179d6a84b05a35dce3143d4e6a0_JaffaCakes118.exe 88 PID 4688 wrote to memory of 5080 4688 040c9179d6a84b05a35dce3143d4e6a0_JaffaCakes118.exe 88 PID 4688 wrote to memory of 5080 4688 040c9179d6a84b05a35dce3143d4e6a0_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\040c9179d6a84b05a35dce3143d4e6a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\040c9179d6a84b05a35dce3143d4e6a0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe"C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5bda8f325cb2f4b7654573f50df4956e7
SHA16ae70f8d7928209c261cb45c80374901a3a9df98
SHA256068111c87285d25903c8605ada6653cbe5025cce431cf1faeed419246c57b180
SHA51272f344b6f85b5b0c4858fe1cb744ac3557daf639c8383ad014517c8a59d07347c3ab936a58e25815a6a128fe9ebdacef6b3347c18f4af7c14b29a8cee2768016