Analysis
-
max time kernel
92s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe
-
Size
21.3MB
-
MD5
4277477edd95a0337f04acb5f75705d1
-
SHA1
58ce92f0b43d1a67cf9a8e453a1c9c3978f203a8
-
SHA256
af4076b2ca7ef8b6aa19702b2f31ad5dceb9feef26c4ec5b649afa83748bbbf8
-
SHA512
88e7b67210f487743fb722d961d61760691b0ac1fb692cf0889b2939d8d360e39a3df2ff85108cd32242b3bfcf770f86b466729a5bc2829250d6d1e7e3eb1b7e
-
SSDEEP
393216:w6Tm05yl21jcsqsPC3JUrnQxNboS59A43Uk4U6bOIkvzMe6:w6ijqjWunSNH59z4NOI+zMe6
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exerar.exe44.exeArkei1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation rar.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 44.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Arkei1.exe -
Executes dropped EXE 5 IoCs
Processes:
rar.exe44.exeArkei1.exedfrgui.exeBlueScreenView.exepid process 4400 rar.exe 4412 44.exe 4104 Arkei1.exe 2016 dfrgui.exe 4396 BlueScreenView.exe -
Loads dropped DLL 2 IoCs
Processes:
dfrgui.exeBlueScreenView.exepid process 2016 dfrgui.exe 4396 BlueScreenView.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 14 IoCs
Processes:
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Chrysanthemum.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Koala.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Penguins1.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File created C:\Program Files (x86)\ZX Comany\Setup\Uninstall.ini 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Jellyfish.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Uninstall.exe 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\11.bat 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\rar.exe 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Hydrangeas.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\tylpan.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\photo.exe 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Desert.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\engvins.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Lighthouse.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1772 4396 WerFault.exe BlueScreenView.exe 412 2016 WerFault.exe dfrgui.exe -
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\dfrgui.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\dfrgui.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
44.exeArkei1.exepid process 4412 44.exe 4412 44.exe 4104 Arkei1.exe 4104 Arkei1.exe 4412 44.exe 4104 Arkei1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
44.exeArkei1.exedescription pid process Token: SeDebugPrivilege 4412 44.exe Token: SeDebugPrivilege 4104 Arkei1.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.execmd.exerar.exe44.exeArkei1.exeBlueScreenView.exedfrgui.exedescription pid process target process PID 644 wrote to memory of 5020 644 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe cmd.exe PID 644 wrote to memory of 5020 644 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe cmd.exe PID 644 wrote to memory of 5020 644 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe cmd.exe PID 5020 wrote to memory of 4400 5020 cmd.exe rar.exe PID 5020 wrote to memory of 4400 5020 cmd.exe rar.exe PID 5020 wrote to memory of 4400 5020 cmd.exe rar.exe PID 4400 wrote to memory of 4412 4400 rar.exe 44.exe PID 4400 wrote to memory of 4412 4400 rar.exe 44.exe PID 4400 wrote to memory of 4412 4400 rar.exe 44.exe PID 4400 wrote to memory of 4104 4400 rar.exe Arkei1.exe PID 4400 wrote to memory of 4104 4400 rar.exe Arkei1.exe PID 4400 wrote to memory of 4104 4400 rar.exe Arkei1.exe PID 4412 wrote to memory of 2016 4412 44.exe dfrgui.exe PID 4412 wrote to memory of 2016 4412 44.exe dfrgui.exe PID 4412 wrote to memory of 2016 4412 44.exe dfrgui.exe PID 4104 wrote to memory of 4396 4104 Arkei1.exe BlueScreenView.exe PID 4104 wrote to memory of 4396 4104 Arkei1.exe BlueScreenView.exe PID 4104 wrote to memory of 4396 4104 Arkei1.exe BlueScreenView.exe PID 4396 wrote to memory of 1812 4396 BlueScreenView.exe BlueScreenView.exe PID 4396 wrote to memory of 1812 4396 BlueScreenView.exe BlueScreenView.exe PID 4396 wrote to memory of 1812 4396 BlueScreenView.exe BlueScreenView.exe PID 2016 wrote to memory of 4948 2016 dfrgui.exe dfrgui.exe PID 2016 wrote to memory of 4948 2016 dfrgui.exe dfrgui.exe PID 2016 wrote to memory of 4948 2016 dfrgui.exe dfrgui.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ZX Comany\Setup\11.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Program Files (x86)\ZX Comany\Setup\rar.exerar.exe -p123321 -dC:\TEMP3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\TEMP\44.exe"C:\TEMP\44.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"6⤵PID:4948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 8006⤵
- Program crash
PID:412 -
C:\TEMP\Arkei1.exe"C:\TEMP\Arkei1.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"6⤵PID:1812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 8006⤵
- Program crash
PID:1772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4396 -ip 43961⤵PID:3100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2016 -ip 20161⤵PID:3308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD59c5ff437f1c8df2188522588a13d8a39
SHA1c7659b5e9231fba6de6337aa61945b4cf35fc6f9
SHA256f629d747c54a3cba4c7ff7a961fd23022a1ad8fe6f988f94037f4ab1160a9a27
SHA512b7c6e6e453d20d5b8a736e526dcbfcbc1c7668bf2f78c2768b5d68dc2016e50bfb7e8267f373b3390559558ffbcd245ce4c75c94bda417377cc7ce3f1aea1079
-
Filesize
1.7MB
MD566aff81a4148ac26ee7e57627e2ecbc7
SHA19d6b2264f1cfeadb556b1fe880a965102e3c557f
SHA2567fb160efad7efd2ee2deacf99f63f433fc4b58c714a678e34a3e5e162e99f1be
SHA512721a00c68fa913ede6d5b45bb3e01c4f863c0614af224ca98585a548b37c953eaaf91eb275e62ef9e392c400d1f346ee3dbbe91a815c89f2afa381cc2c3551e9
-
Filesize
879KB
MD5343ab41be912e2fd47c5b440adea8283
SHA19172aeccb1a9373bef8e37893fe3b64624326dd1
SHA25620ed4aa51c59153dc2eec8a610467fb3a7eb38474ef6ec179c3b71e1ffbcce59
SHA512e8f6d009caf7f3b5a9980614b5c0a50115cdcb8f0999edb9af7587e65017c61e484def72650cd5ab81279e5a99f21111c9677b1a21fa1ad3c3e8aa3913b095ad
-
Filesize
832KB
MD5568712e628008b963d6c40a12f10ac00
SHA13bc8567a248cffd1ac43d8fa47edb5eee6bd65b0
SHA25645c2a05d843c448491a4f31f06db4bfe5553ebba2a9d990317cd2cb0dabff30b
SHA512e15e7c7f7f1c9a5f168b2d5fa28a0b28f3ff67ada0b5837bfac98e1f9e04074b51eed2721a4b6de60dfc7198042031fa2bea003cff75fd0718714ecbeb522735
-
Filesize
8.0MB
MD59e5061f48550753fd4a67bced21d31e6
SHA16cdd2e6ec542d585b5481ab6fbaf64f1eab1658d
SHA2568aa8301129281f1a4d1aa9eba37e69282fd1d68f084455a9a25f5db3f158c7b3
SHA512c5d079f3375a2ddeab9daa54b83ede12960ee507428aae1a06431b7f905b1a4cd71c6f98d34c78131d52818ed0f3324b48b59d40baa24c8b7d775a3c0fae1871
-
Filesize
5.2MB
MD59380743a114a72fdd83ae0d9bc7ecc82
SHA1b378df8008977d1d57a24874936b19f8ae4b1553
SHA25641c2200ffdbf809d9898747753421f0a59a7989c412696af7dae1bdca172bc80
SHA512d3ec0f19dabd6568c7c4b8feeaf6320c88a91dae4dc5b7589900d7eb1ba94d0f634fc5fbe4e8a43f52b56417e4bd2faa3739325c500b22c73df66ddd04d42824
-
Filesize
654KB
MD57399f9bec3517e33cb548b00414c49da
SHA132630a25c5adc819f6ce491bd13ba850a29eae9d
SHA256ade8f7dfecdc7bcadb1686ea34682305cb9613c7cde67ed55dd319050e9de145
SHA5120280c5b55ea1dce71f9b2ddbfe0bac2f030d4d87a830bce1e89807876ae9d12f48045b3123e20f6859c1089d443751fa9204d2487d1b58264a1ad7e32d2e1c06
-
Filesize
763KB
MD59f3bf0c3af2387816095511aeee7ffc4
SHA10e7eb78ffdeba6bc3806c946cf5e5a3f62f89201
SHA256eb082d0c9627b183fdcd688a92b3589f9ea7c2a585c31f1ccad681fc5a54adb0
SHA5123ebd8e3f83e91a7ef55df422aefcde11156d20c0fb0c489ee9f3d46f96f428639a1ec49e27680c2cd94b35a786ed440a680e6b12ec5fc56b0499e68545015a49
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6