Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2024, 15:02
Static task
static1
Behavioral task
behavioral1
Sample
07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe
-
Size
10KB
-
MD5
07f1291a3ae58be9d8c696f14eb56af8
-
SHA1
f87983edd771334dcfa2cbb071595142a2568909
-
SHA256
53f18343a53a4d35670199ab1c9b66eadca4788c128d58e3fa6a90f210f1eebd
-
SHA512
bdf5ba1429cdef0c5534e8fb76dda4a69f7cb0514e17e6841f2674fb03ed0cee817c186f19c28df2e9e63c587600d88eb08f44c83bfdca266be6b066f4cb6271
-
SSDEEP
192:ibrETxL4X4f0y4PJuCIa0K8ocRbHzbaAU/uCdCIP:iXET14X4f0y4ER1ocRbvaAUu2P
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4828 budha.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3084 wrote to memory of 4828 3084 07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe 83 PID 3084 wrote to memory of 4828 3084 07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe 83 PID 3084 wrote to memory of 4828 3084 07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07f1291a3ae58be9d8c696f14eb56af8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:4828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5185b057f791ff0f9f8798084fd2588f5
SHA1e6f75e036f3aeebf817c34b2ba268a16708f4122
SHA25625888e6a15c6137fc0eacce0eb3e7b6166a6ee5c0c2441bbdd10f5a79857fc2c
SHA512338e1b3ed9ca1fefd78ec039ad4901b819c93fbf73ea82856b65169f8a7400fddef002cd0e3f98db554bebfda88f9c78cd24a433d422a0bd463f8f60b024cf61