Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
314162b42775491f40e45f230a66a951_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
314162b42775491f40e45f230a66a951_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
314162b42775491f40e45f230a66a951
-
SHA1
8b69e81360caa7c644ff9d646ce707614d57f14b
-
SHA256
494e74c88fed50337a524e4e3c395fbf0cf1443691ef9ba11d22199c72add384
-
SHA512
a33fe3f575c3d53f735a1ac30fdb2249d6ebb0df9828a495f34d28804a4932c3d4c75188ca478acb885d87137b2dbddb6b75b1fc66206d613f7fd7b5f91b6d71
-
SSDEEP
24576:w8IX/6BvJQOsb7DW9d9597vmQnbWPRqprGYRfVP2XvZ:qXShJQOsHS9d9597vmQnKpqpr/3P2/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
314162b42775491f40e45f230a66a951_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 314162b42775491f40e45f230a66a951_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeReader.exepid Process 3492 AdobeReader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
314162b42775491f40e45f230a66a951_JaffaCakes118.exeAdobeReader.exepid Process 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 3492 AdobeReader.exe 3492 AdobeReader.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
314162b42775491f40e45f230a66a951_JaffaCakes118.exeAdobeReader.exepid Process 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 3492 AdobeReader.exe 3492 AdobeReader.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
314162b42775491f40e45f230a66a951_JaffaCakes118.exeAdobeReader.exepid Process 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 3492 AdobeReader.exe 3492 AdobeReader.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
314162b42775491f40e45f230a66a951_JaffaCakes118.exedescription pid Process procid_target PID 4992 wrote to memory of 4208 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 96 PID 4992 wrote to memory of 4208 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 96 PID 4992 wrote to memory of 4208 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 96 PID 4992 wrote to memory of 4856 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 100 PID 4992 wrote to memory of 4856 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 100 PID 4992 wrote to memory of 4856 4992 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "AdobeReader" /TR "\"C:\ProgramData\AdobeReader.exe\""2⤵
- Creates scheduled task(s)
PID:4208
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /run /tn "AdobeReader"2⤵PID:4856
-
-
C:\ProgramData\AdobeReader.exeC:\ProgramData\AdobeReader.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5a943181e6d69c99c1428d7a4b2474b7d
SHA1e47deac6de97b97aa7298e80d426fefd777ea5cd
SHA25673f7a66e9f030f01b9171a8e0776320de453043ce0bd47bb9c53c79d5473849f
SHA5125a1470e35295d2906e8b4e9f67ee754a3874375fa58c8ddf1a464758c2936dade45f56bac94d89037ee499554646d69c59924bf49e4d43af3fc14fad33326af0
-
Filesize
79B
MD583b97265e21f56d5bd10048724ff6dae
SHA1b94b9d9cc60b564568f90c84a1a50307150ca03e
SHA25696ba7f3c99208dcc85e8336c459b1562caa5b270064442686ee59576084d905c
SHA51277e309fe0e561e69b4ae82eb5ded158ea26a36afce800063cbd8ae1c4cf857eeac87568168a6a61d78aca514c6aed1ba26d8f1efd93e80fd3564361faac9cb5f