Analysis
-
max time kernel
92s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 11:29
Static task
static1
Behavioral task
behavioral1
Sample
3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$_3_.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$_3_.exe
Resource
win10v2004-20240508-en
General
-
Target
3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe
-
Size
967KB
-
MD5
3f4293424f1741c6670aa546b55bd3fe
-
SHA1
fe20cf9317f91e48a03826143f6da24f5e966c22
-
SHA256
6d0776266018bc8aff6982c0b66c30ba237b5fbd15cf5f400707be7d7df2b262
-
SHA512
1862defe957a32d706c3c023b1614bbce66ad2cb092a93f0a2d32cca58a24f3acfc1fc60c40563265a5c8355e0ccf7d70f30a52e5e46ffd6b6b6b57dd2ea824e
-
SSDEEP
24576:gtXCT35bEN60Yc/rMegvH6RK1aeGokgwHP:gKBtV6MjvH6RIrDCP
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2252 internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1924 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2252 internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe 2252 internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2252 internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe 2252 internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe 2252 internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2252 3012 3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe 81 PID 3012 wrote to memory of 2252 3012 3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe 81 PID 3012 wrote to memory of 2252 3012 3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe 81 PID 2252 wrote to memory of 4340 2252 internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe 87 PID 2252 wrote to memory of 4340 2252 internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe 87 PID 2252 wrote to memory of 4340 2252 internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe 87 PID 4340 wrote to memory of 1924 4340 cmd.exe 89 PID 4340 wrote to memory of 1924 4340 cmd.exe 89 PID 4340 wrote to memory of 1924 4340 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\nst4335.tmp\internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\nst4335.tmp\internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nst4335.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nst4335.tmp/fallbackfiles/'2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9043.bat" "C:\Users\Admin\AppData\Local\Temp\D1195AC2C9F04CC9B29BB322B620F2F5\""3⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:1924
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5739fcc7ba42b209fe44bea47e7a8c48f
SHA1bc7a448a7c018133edcf012bc94301623eb42c5b
SHA25669017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c
SHA5122b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a
-
C:\Users\Admin\AppData\Local\Temp\D1195AC2C9F04CC9B29BB322B620F2F5\D1195AC2C9F04CC9B29BB322B620F2F5_LogFile.txt
Filesize3KB
MD59bfd45a6884005eaa3495bc894496772
SHA1242c7cdd437c93abac6585888753865ce32d1d58
SHA25670e2efe922afef1a3cdf68d54a26d0cb59564ae6f08e9e9dddedac52e0c08e07
SHA5124457b88220db1c8cdd5f53ce8722f072d1e0248a988fd4dd3b65f3ddebc89eba5ee673f6ccd715aca5c0fd0e78fb7f58567c8ee01c4820903dc0216c6a050a8c
-
C:\Users\Admin\AppData\Local\Temp\D1195AC2C9F04CC9B29BB322B620F2F5\D1195AC2C9F04CC9B29BB322B620F2F5_LogFile.txt
Filesize9KB
MD5198172db8d0002aa4ff942657c2bd6be
SHA193b90351266c617a69b646792f216978d6bcdf45
SHA25605d254cf9a5a3718ec825838e3b6da12c911360dbaf3348f2b6a31ffaa2bf8f8
SHA512f6cf99969fe0c9b972c1f02f51ce2dd3734f9f929bf013f431ed509f4864db83c982e11e81a6bb05308308ba17fee71979952d92fc41b9f0eb36dd69b8c8cb39
-
Filesize
110KB
MD52231cce8475c8333299680e30bad17ad
SHA19bd42b6cabd005ede328b57ba324acfa08f2678e
SHA256c795dfe8ccc4ae18a007b705ae784519497907332825aea19e47a9b1a0b0b69d
SHA512d417c8e9646be9b4b9ab4e22c5cb7b09b82bacf8150ab49ffeb645619a806ec3a3e048361104c3f5de4751776489e922792c49aac4c2079c61c60268132ce901
-
C:\Users\Admin\AppData\Local\Temp\nst4335.tmp\internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118.exe
Filesize1.8MB
MD577bfacca17ee1d89833b57f3a746d9a0
SHA1aa9490c913489c5eafd02f67f875efcb56d23036
SHA25638571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA51221ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f
-
C:\Users\Admin\AppData\Local\Temp\nst4335.tmp\internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118_icon.ico
Filesize11KB
MD5592abe695d3fb84c8a7589b0d2553a97
SHA1d70d6de6fa25ca1924bd02b84075ee94f3870133
SHA256ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0
SHA512a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978
-
C:\Users\Admin\AppData\Local\Temp\nst4335.tmp\internal3f4293424f1741c6670aa546b55bd3fe_JaffaCakes118_splash.png
Filesize136KB
MD50a8589de904eec91522c276d896216c4
SHA158ba5e9158c3afa3c3112fe1e24567996794c07e
SHA256496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55
SHA512bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd