Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 22:07
Static task
static1
Behavioral task
behavioral1
Sample
fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe
-
Size
285KB
-
MD5
fb45b1218050bc2d4ff3b78e84a1dcab
-
SHA1
f82266b02e4e5edeade8cbad2b72f95db00ed3b3
-
SHA256
213feae4318ff89a2f61a0c2863e8d0c58c991103f0e5295ac9fda870fa19b91
-
SHA512
9610cd589c1b675a1e354b9ea7b66585c21ce90f6981345299882bf5d8f15f255d80c64971d1b546148f71e73cd4be4fb2434d0422e39d07736a6bc7b6b0c44f
-
SSDEEP
3072:/VYcdLtlGon6h/kxBsqLOp6YJG+mW4mn6Z2mSPyDaQIRqIJDyEw/Qd9433n1rNdz:CWBRxSp6Ytv4mI2mSK+QIBNyd/Qd9FxG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 4448 fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4448 wrote to memory of 4740 4448 fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe 89 PID 4448 wrote to memory of 4740 4448 fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe 89 PID 4448 wrote to memory of 4740 4448 fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb45b1218050bc2d4ff3b78e84a1dcab_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" c:\19e892b1-3050-46e4-89bd-d0a5a7717ef4\start.hta2⤵PID:4740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD504ce97442acb295b9371a9bff3333ab6
SHA14ec32c7b219bda70f048b9473c3d413914c49991
SHA256236dff6227b5dee36f55191eef55e3a45e8be5d622f28ade7afdc3a96295dce2
SHA512cfc099e09abbcfb4960e095863ebd2ff9b2afbffb0c46617b7a8839ee1621c335feb81f593344bfabc1b596d727587942b062e0cf312dc107c1cb981d454fb5d
-
Filesize
1KB
MD5e88ebd85dd56110ac6ea93fe0922988e
SHA1684a31d864d33ff736234c41ac4e8d2c7f90d5ae
SHA256379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb
SHA512211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7
-
Filesize
1KB
MD5db4ada697fa7a0e215281533d52578e9
SHA1fb755ea8371edf5065dc53e21eb413603f9eba7f
SHA256f949fd6ca734830572128b4348dfd039419140c7ef501d80773f71ca3f0ed78c
SHA5129ba1d2658785dd3c88b4399132f8330dc58872235e19ca9854b0e453d8cc7a58de0c8be84da376a72b5851073f531c95b2c6afa84f43053561ca8e6751d6e2f3