Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2024 09:24
Static task
static1
Behavioral task
behavioral1
Sample
ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe
-
Size
15.9MB
-
MD5
ed178b01c6242514bdc2dfcf883e5bd3
-
SHA1
e9d2fb068e0c19a5465af9cad6fb33278c06c731
-
SHA256
5c3bb64e61f513de62755642b71a8ffb882942fc89efa850fbaaa8d44dc3abbd
-
SHA512
fdc61ab29d164a651f79d4416d8cfd5b90b229df2731594fb6ff00d357a1fd5a38ec92ffb0455c24ac34a75ec7ced84b75f395ec344a325481a15f9a1a801635
-
SSDEEP
393216:Ag7uIg7uIg7uIg7uIg7uIg7uIg7uIg7uv:tSlSlSlSlSlSlSlSv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2880 7D57AD13E21.exe 2304 Scegli_nome_allegato.exe 4436 7D57AD13E21.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2880 set thread context of 4436 2880 7D57AD13E21.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Scegli_nome_allegato.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Scegli_nome_allegato.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Scegli_nome_allegato.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\IESettingSync Scegli_nome_allegato.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3436 reg.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2304 Scegli_nome_allegato.exe 2304 Scegli_nome_allegato.exe 2304 Scegli_nome_allegato.exe 4436 7D57AD13E21.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3372 wrote to memory of 3436 3372 ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe 98 PID 3372 wrote to memory of 3436 3372 ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe 98 PID 3372 wrote to memory of 3436 3372 ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe 98 PID 3372 wrote to memory of 2880 3372 ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe 101 PID 3372 wrote to memory of 2880 3372 ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe 101 PID 3372 wrote to memory of 2880 3372 ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe 101 PID 3372 wrote to memory of 2304 3372 ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe 102 PID 3372 wrote to memory of 2304 3372 ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe 102 PID 3372 wrote to memory of 2304 3372 ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe 102 PID 2880 wrote to memory of 4436 2880 7D57AD13E21.exe 104 PID 2880 wrote to memory of 4436 2880 7D57AD13E21.exe 104 PID 2880 wrote to memory of 4436 2880 7D57AD13E21.exe 104 PID 2880 wrote to memory of 4436 2880 7D57AD13E21.exe 104 PID 2880 wrote to memory of 4436 2880 7D57AD13E21.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed178b01c6242514bdc2dfcf883e5bd3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:3436
-
-
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4436
-
-
-
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3776 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵PID:4108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.9MB
MD5d2df02210b501df438ee7052e80c2d7b
SHA189109d7fa5c7e73e2f3b5789da7dcb07820609ae
SHA256e7ae42c9e4945dd125fc60311bc0a5d29890ca2951aa16d76b55a12e446b1d60
SHA51268a817565007a794bd7783bd8e3c32d6b469f3b4548b325359b0ae933f1ded949a65fc9da1dbea9542d24d65e3a4b3b19b6d6d87823818c2a7124439166dd81a
-
Filesize
1.0MB
MD5a2f259ceb892d3b0d1d121997c8927e3
SHA16e0a7239822b8d365d690a314f231286355f6cc6
SHA256ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA5125ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad