Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 07:24
Static task
static1
Behavioral task
behavioral1
Sample
6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe
-
Size
590KB
-
MD5
6a2ef567582a9f9608e4d07a6d0676ae
-
SHA1
a9eb76a0f75413913259f0bf8b1e72830887a123
-
SHA256
0b93596a5112d24596d6ee0b833f327c5f889290b2cfb1f17102f4bd6fb88020
-
SHA512
560308a26d123eb59b1a465821fc7b4a278c6e91db73db9aae6e41643d8d20093efab5a88a17b9e583f5c0b28c331025b864b799e0059b5b2efa1e5f96be936b
-
SSDEEP
12288:thZva7SM72W1Va8a3i0HzTMynlpDM08OUrsTC9iNf:fZva7SM7Wi0TTxlS3GC9If
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4888 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 4888 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.execmd.exedescription pid process target process PID 804 wrote to memory of 4212 804 6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe cmd.exe PID 804 wrote to memory of 4212 804 6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe cmd.exe PID 804 wrote to memory of 4212 804 6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe cmd.exe PID 4212 wrote to memory of 4888 4212 cmd.exe taskkill.exe PID 4212 wrote to memory of 4888 4212 cmd.exe taskkill.exe PID 4212 wrote to memory of 4888 4212 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "6a2ef567582a9f9608e4d07a6d0676ae_JaffaCakes118.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/804-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/804-1-0x0000000000520000-0x0000000000620000-memory.dmpFilesize
1024KB
-
memory/804-3-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/804-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB