Analysis
-
max time kernel
148s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:15
Static task
static1
Behavioral task
behavioral1
Sample
b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe
-
Size
7.9MB
-
MD5
b94a1fd6e0773a4eda0fa083249a7b0c
-
SHA1
9534195e2d1defcc6c235074d84ed39067284ce1
-
SHA256
99e865dc90658cdd73de624c8eeda31580a5e11285a4e280a384cd7ccabf2ccf
-
SHA512
ba545bc4be13dc9a7cc3fb0873d7baa4fc45370e4b700e944af9ff65d78c72c2891c6c4402801af2d2eaa00af955c511185b1ed5b62f91e4df2b2f3065407efa
-
SSDEEP
196608:8Kazg7DSmKazg7DSmKazg7DSmKazg7DSN:Eg7u6g7u6g7u6g7uN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 3124 7D57AD13E21.exe 2024 Scegli_nome_allegato.exe 4416 7D57AD13E21.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3124 set thread context of 4416 3124 7D57AD13E21.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\IESettingSync Scegli_nome_allegato.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Scegli_nome_allegato.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Scegli_nome_allegato.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Scegli_nome_allegato.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3560 reg.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2024 Scegli_nome_allegato.exe 2024 Scegli_nome_allegato.exe 2024 Scegli_nome_allegato.exe 4416 7D57AD13E21.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2184 wrote to memory of 3560 2184 b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe 95 PID 2184 wrote to memory of 3560 2184 b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe 95 PID 2184 wrote to memory of 3560 2184 b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe 95 PID 2184 wrote to memory of 3124 2184 b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe 97 PID 2184 wrote to memory of 3124 2184 b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe 97 PID 2184 wrote to memory of 3124 2184 b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe 97 PID 2184 wrote to memory of 2024 2184 b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe 98 PID 2184 wrote to memory of 2024 2184 b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe 98 PID 2184 wrote to memory of 2024 2184 b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe 98 PID 3124 wrote to memory of 4416 3124 7D57AD13E21.exe 100 PID 3124 wrote to memory of 4416 3124 7D57AD13E21.exe 100 PID 3124 wrote to memory of 4416 3124 7D57AD13E21.exe 100 PID 3124 wrote to memory of 4416 3124 7D57AD13E21.exe 100 PID 3124 wrote to memory of 4416 3124 7D57AD13E21.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b94a1fd6e0773a4eda0fa083249a7b0c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:3560
-
-
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
-
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.9MB
MD5fd92f32f90f5d33214c34c3b098a7cd6
SHA1ceee08bd0a351d1ef3ccf1c654f233a1a74dc6c5
SHA256991e64ce263d41e0c1caeefe4e688ed6761074f05da0152c14e29a1fa0f94e50
SHA5120c73b6e2c414142f044b5987b25d4bf4b54cc9559c033c2428b328242e4daa6f5e279b19242b58b383a086570981249ce50223a26bb94544171b192cc7e36c44
-
Filesize
1.0MB
MD5a2f259ceb892d3b0d1d121997c8927e3
SHA16e0a7239822b8d365d690a314f231286355f6cc6
SHA256ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA5125ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad