Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
a157c71bbf2010904d0ebf204997d559
-
SHA1
c048f6f2885006768d026d10ace1a6db351ffc68
-
SHA256
8df9b797d715806c7025589ba233f95d5a08e1c59317a7cebc29d2e009e6fef2
-
SHA512
864ddafef42b002474b33f789bb51ccc7e3923de72c06e2894c7186282912172ded68b2689f37fe6100d7083244bb1599f6ea9129049accc59d6e3eeb8b7bed5
-
SSDEEP
49152:yJwukbANGDkTjvh1/zxUOLlTlpSmJurwKTH9h:yef4p1rL8Bx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1120 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4564 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 4564 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4564 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 4564 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 4564 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4564 wrote to memory of 2512 4564 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 99 PID 4564 wrote to memory of 2512 4564 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 99 PID 4564 wrote to memory of 2512 4564 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 99 PID 2512 wrote to memory of 1120 2512 cmd.exe 101 PID 2512 wrote to memory of 1120 2512 cmd.exe 101 PID 2512 wrote to memory of 1120 2512 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27967.bat" "C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\""2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1120
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:81⤵PID:1820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\20FE9CA7CD6F4BA3BBEF8025E68A3B97_LogFile.txt
Filesize2KB
MD58b228411d918d2c963ea216956fc98a4
SHA1d27a45e43ce771f419f2728a19cdf84bb39e0c26
SHA2567cb571b83b173a714608c161bc7ad2ece07fcc884872755ca0fc744c6d55af80
SHA5125f8a5d4cf207d785c279afa05b0ab9de761a1ac733b1cf0ae1c3bc4bfd92f00306f3409aa4a8547322fa02ad1bda34c592153eff90876ea65bc6c0e08c962df1
-
C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\20FE9CA7CD6F4BA3BBEF8025E68A3B97_LogFile.txt
Filesize10KB
MD5078c3de8f40eab2f97da1fee31e90dc8
SHA110785834dfb8ea962764a9c1f672944392fbfff0
SHA25643cedaadb016ba86a5ddfe5492859c1ad65d3c73fad13b2bfeeacf47053a5b02
SHA512bb12b6835ec2854837f86163610538516cf3774a6e98f0c85bc4c3db8b861300af8c31a452e841d5d458f9e9940302f1ad06c48f39465a893b93d85a299319fc
-
Filesize
119KB
MD52327b6e86e16dd3ae8edd68e6296cb7d
SHA15f97fdc95ab75af67062cd4b54c24919aa1fd6b6
SHA2566b417f61ac10752bd6736b069022e961e62837d6d8b8042da1ecfb21abc0a54b
SHA5122faf20f8a71c2418f8223baaeda75cdfc2d0cc895177c0a85ad115f4fd2fa335803868b6eaca12c2798f6d075215a8715f83bcfafc19b887415ba67422ff924e
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680