Analysis
-
max time kernel
140s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 02:51
Static task
static1
Behavioral task
behavioral1
Sample
fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
-
Size
36KB
-
MD5
fbc3f0e790aafbd7f5bf39e28317d6ef
-
SHA1
f6ff9912af01302261fa7dfb98f71a85df5074ed
-
SHA256
9fcfbb8851003bd433b7d81f8ae3d56dd0a81dd5a8607bca7d74d88756bd15ea
-
SHA512
a4b0e08e6200d50653fefd4e87058734f76c4bcd40a71621712d0c6c59f2d514cd06428541f7363b0abeee51b4db5ce798888ab5d42ea82da66f024ce83e6382
-
SSDEEP
768:vtFUkLj9F+J4pE+GtOlfSmC5znWOjgJASvfUbP/PF7S:lF5LjfI4pE+/fSHznvgGYfUjF7S
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exedevice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation device.exe -
Executes dropped EXE 3 IoCs
Processes:
device.exepart.exesysdevice.exepid process 2340 device.exe 4716 part.exe 380 sysdevice.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\device.exe upx behavioral2/memory/2340-7-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/2340-17-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Drops file in System32 directory 18 IoCs
Processes:
sysdevice.exepart.exedescription ioc process File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File opened for modification C:\Windows\SysWOW64\sysdevice.exe part.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe part.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe File created C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe sysdevice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3772 380 WerFault.exe sysdevice.exe 2696 380 WerFault.exe sysdevice.exe -
Modifies registry class 2 IoCs
Processes:
fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exedevice.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings device.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
part.exesysdevice.exepid process 4716 part.exe 4716 part.exe 380 sysdevice.exe 380 sysdevice.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exedevice.exepart.exedescription pid process target process PID 3316 wrote to memory of 2340 3316 fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe device.exe PID 3316 wrote to memory of 2340 3316 fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe device.exe PID 3316 wrote to memory of 2340 3316 fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe device.exe PID 3316 wrote to memory of 4628 3316 fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe WScript.exe PID 3316 wrote to memory of 4628 3316 fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe WScript.exe PID 3316 wrote to memory of 4628 3316 fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe WScript.exe PID 2340 wrote to memory of 1128 2340 device.exe WScript.exe PID 2340 wrote to memory of 1128 2340 device.exe WScript.exe PID 2340 wrote to memory of 1128 2340 device.exe WScript.exe PID 2340 wrote to memory of 4716 2340 device.exe part.exe PID 2340 wrote to memory of 4716 2340 device.exe part.exe PID 2340 wrote to memory of 4716 2340 device.exe part.exe PID 4716 wrote to memory of 380 4716 part.exe sysdevice.exe PID 4716 wrote to memory of 380 4716 part.exe sysdevice.exe PID 4716 wrote to memory of 380 4716 part.exe sysdevice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\device.exeC:\Users\Admin\AppData\Local\Temp\device.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\temp.vbs"3⤵
-
C:\Users\Admin\AppData\Local\Temp\part.exeC:\Users\Admin\AppData\Local\Temp\part.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sysdevice.exeC:\Windows\system32\sysdevice.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 7525⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 10445⤵
- Program crash
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\temp.vbs"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 380 -ip 3801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 380 -ip 3801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\device.exeFilesize
22KB
MD53579f05e7e1cff412674acec362b88d2
SHA19105b456d90b17bd00d4e6385222120b9352ad4d
SHA2564a789f6d809fe94c8192b6cab843d89fc142f6c2e2bab53504a7450f70f91d3a
SHA5120436b2f2178eeaec16af30640d439ef40e204be3673dd05b63d866755a04cbf63af5a75d37d6414b245eb44e609e1e3a427781bbc0baad743151d57a78139304
-
C:\Users\Admin\AppData\Local\Temp\part.exeFilesize
13KB
MD54e208656781d3579104b17eeabc1e52c
SHA14dba53c0f1a82860562a64010345e7c1674e1313
SHA256c311180fb753230292fc716c1940adf91485313521a53ec835a3d093b303727f
SHA5127f9fd51bddbe4ba8c3df176457b80c52927aebc2d75941603419fd86119b64eff0064b175fe7bcdddaed81a8b7b1af7266126dc59211d3235299d1bbcb371001
-
C:\Users\Admin\AppData\Local\Temp\temp.vbsFilesize
182B
MD599dee37e762756d28393116992973fda
SHA1416881a428844842081d9248b6d411f3f189718b
SHA256575e7ab3ad92622286f4b6a85541a82ef8f3184dea31a547e592bf2b6216b972
SHA512eb014d471bfe17afdcc1650c5488197dd2bba55c36ee7526d9eaa3db982ec4c054499a00945908e6b6c323a135d33ba8c748225a4c20c41d3173212c9ac55a4f
-
memory/380-25-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/380-26-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2340-7-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2340-17-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3316-18-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4716-19-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4716-23-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB