Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 20:39
Static task
static1
Behavioral task
behavioral1
Sample
688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe
-
Size
291KB
-
MD5
688e14c833fbf6c95e9650360d02dd0c
-
SHA1
44df08300d83f1d8b8d718b8f7a784ff7e9c70a0
-
SHA256
894b1035b22d5321155f5ee74f590eabb7c52aa554bcadeb0b4c28be93ee9747
-
SHA512
6149170aea4880962d5f28f35a0cd6758ee29326b04ebe73323dbe0850623cbbece20f706d95119add021caf34a642f34a52695fcfe8bf5f20eab11b904a3e37
-
SSDEEP
6144:wZUyi7Uh0WQaaAJ0UU4BVSEqkm+mYcy9BhcjhLh1sz3s2m:wip7UhEaJJ0UGENJmVyPhqJnMs3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\IDSCPRODUCT = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe\"" 688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exedescription pid process target process PID 4240 wrote to memory of 1416 4240 688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe 688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe PID 4240 wrote to memory of 1416 4240 688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe 688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe" 3 true2⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\688e14c833fbf6c95e9650360d02dd0c_JaffaCakes118.exe.logFilesize
308B
MD540c496dc8752a6ae422655a35b5c4079
SHA121638fbe678c91b911479e9a0e06434d6cf74770
SHA256f31a57262b673c0e8799827dec5a597e0264ea838beee2d2f9c45c0698c3d4a8
SHA5124ec472946d6de025d0b6ea35785e46be7966cf3e0cba17251c67246225dc05f487c9041e1dcdecab7ece01d032280c296ee4811a07ea54e01eab2ab111d5e472
-
memory/1416-8-0x00007FFDCF9B0000-0x00007FFDD0351000-memory.dmpFilesize
9.6MB
-
memory/1416-7-0x00007FFDCF9B0000-0x00007FFDD0351000-memory.dmpFilesize
9.6MB
-
memory/1416-9-0x00007FFDCF9B0000-0x00007FFDD0351000-memory.dmpFilesize
9.6MB
-
memory/4240-0-0x00007FFDCFC65000-0x00007FFDCFC66000-memory.dmpFilesize
4KB
-
memory/4240-1-0x00007FFDCF9B0000-0x00007FFDD0351000-memory.dmpFilesize
9.6MB
-
memory/4240-2-0x000000001B2E0000-0x000000001B2EC000-memory.dmpFilesize
48KB
-
memory/4240-3-0x00007FFDCF9B0000-0x00007FFDD0351000-memory.dmpFilesize
9.6MB
-
memory/4240-6-0x00007FFDCF9B0000-0x00007FFDD0351000-memory.dmpFilesize
9.6MB