Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 08:21
Static task
static1
Behavioral task
behavioral1
Sample
1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe
-
Size
137KB
-
MD5
1d387e8fdc34aa18e48e94f63944b525
-
SHA1
73b081ce4e58cf632de3e28741cbfb4e191aeb6d
-
SHA256
5e3516f802661bc84ff560a04d6d2bdd7e5051bcf168b15625e88c951ffe975a
-
SHA512
7ec526399943712d1007e96766c7dbb916abc86044563ada3d614f37871212e5a6f513599bc43e7eeb8272fc92a844b317d765796f657af141de6beb9fe89588
-
SSDEEP
1536:s1baYkjUIKECOmxUNKwhB+GT/4I2fm3w9Rri+pXmf8t1dn4vcjeRVW:sjIKn1xUswhsGTgI23RGUXmUDd
Malware Config
Extracted
urelas
112.175.88.207
112.175.88.208
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation 1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4600 huter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1764 wrote to memory of 4600 1764 1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe 89 PID 1764 wrote to memory of 4600 1764 1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe 89 PID 1764 wrote to memory of 4600 1764 1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe 89 PID 1764 wrote to memory of 2960 1764 1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe 90 PID 1764 wrote to memory of 2960 1764 1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe 90 PID 1764 wrote to memory of 2960 1764 1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
PID:4600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:2960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD54514d58bb3af5fd2132870ab9e2897d9
SHA19bf67ec19026e2485416a37315a32a19972a69ff
SHA2568bc8fa165190f94d0f84f4c5772a7aee9aafd778e395effcdf501055b0658fa8
SHA51207941b5f5275a931b8b7be9c94062714a6f8546ff3df4479638b6638960f61d35ad25fefa3bd7fc9b0934e9814c40169dce5803aac5e25ae932b698c85688738
-
Filesize
137KB
MD51d387e8fdc34aa18e48e94f63944b525
SHA173b081ce4e58cf632de3e28741cbfb4e191aeb6d
SHA2565e3516f802661bc84ff560a04d6d2bdd7e5051bcf168b15625e88c951ffe975a
SHA5127ec526399943712d1007e96766c7dbb916abc86044563ada3d614f37871212e5a6f513599bc43e7eeb8272fc92a844b317d765796f657af141de6beb9fe89588
-
Filesize
302B
MD58d02ca837a87244b8c9f7fdd4eb5e2fd
SHA18ed12243974adff8266b286884ba3908d757b6c3
SHA256eac69739d49632f63c345058b604969f49d816ef35feceae8d28be2e8e19729a
SHA512b3716f01cb424b70f9633ba7b30412761a8925d7974c0d12b5a4fef44e56048bfdbcb88982f62d11cb20682f1dadb78278a141e1fc3761a66a67388b86e61059