Analysis
-
max time kernel
141s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
a3918e032ff926de0deec7701b87d759
-
SHA1
6e45e8fbd7cfb5596d533025fb9f8869ce085af0
-
SHA256
bd933e5a31ed83d21cefeb9d6f40e9b480fb1d560ad01a32eef1aabeda2ba17b
-
SHA512
031237c459f64f3896e7b9ac06cf66a1b9bca2b4162199cb925ea4a05ab8c28353c58fc5a8b2d449ef7cde8cd87ae4d5bf089efaf82724fbd32f724dc9e438cb
-
SSDEEP
49152:GnsHyjtk2MYC5GDLHikkafWDcqzMeBKoQV0aFXnEQl:Gnsmtk2afkKNMLo67
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 224 ._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe 2496 Synaptics.exe 4672 ._cache_Synaptics.exe -
Loads dropped DLL 4 IoCs
pid Process 224 ._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe 4672 ._cache_Synaptics.exe 224 ._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe 4672 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1588 wrote to memory of 224 1588 a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe 83 PID 1588 wrote to memory of 224 1588 a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe 83 PID 1588 wrote to memory of 224 1588 a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe 83 PID 1588 wrote to memory of 2496 1588 a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe 85 PID 1588 wrote to memory of 2496 1588 a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe 85 PID 1588 wrote to memory of 2496 1588 a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe 85 PID 2496 wrote to memory of 4672 2496 Synaptics.exe 87 PID 2496 wrote to memory of 4672 2496 Synaptics.exe 87 PID 2496 wrote to memory of 4672 2496 Synaptics.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:224
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5a3918e032ff926de0deec7701b87d759
SHA16e45e8fbd7cfb5596d533025fb9f8869ce085af0
SHA256bd933e5a31ed83d21cefeb9d6f40e9b480fb1d560ad01a32eef1aabeda2ba17b
SHA512031237c459f64f3896e7b9ac06cf66a1b9bca2b4162199cb925ea4a05ab8c28353c58fc5a8b2d449ef7cde8cd87ae4d5bf089efaf82724fbd32f724dc9e438cb
-
Filesize
1.8MB
MD56ce93a43d85c29f42962ace3fa818e26
SHA119439224cc4a59212499cad2842aeabb5b824fbc
SHA2561821610d00410064fd10df6c08104a23a3eac06fe8cc6723f7222880c732774e
SHA5126a0c1b35ca2c915cf9637607574964c945e08734ebd8be9eacd508ae64b6e09d213494cb758b19f893209fff42c646193879131bff67936de2ef969f958d886a
-
Filesize
5KB
MD50c44f21d4afc81cc99fac7cc35e4503a
SHA13d0d5c684df99a46510c0e2c0020163a9d11c08d
SHA2568dc2be6679497994e3ddc97bc7bc1ce2b3c17ef3528b03ded6696ef198a11d10
SHA5124e4bd35d6aa21cecbfe7a93a2ee7db8ee78ca710a4193dfe240d1067afbe10f61db332c1c85f6cc3ba404d895a959742401b615ef8ff5bd9028254c4a43a0923
-
Filesize
8KB
MD555a723e125afbc9b3a41d46f41749068
SHA101618b26fec6b8c6bdb866e6e4d0f7a0529fe97c
SHA2560a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06
SHA512559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c
-
Filesize
32KB
MD57b969f1073cb2bbc59e0e4bde493ba62
SHA15af88b9eedbcadf18f0ff7a740001bb173a205fd
SHA256181b91f41df916a24549837e4e0c6ca53da4aac69ebc2737d45b29c453a25f5f
SHA512f699846e67a46a869d5aed8c0d420dbf46d81c37800179e378c8d245f6a2ee7419ae73bb25eadb8462477eb93d052b3843672babe6f6b470f136fe0f760a2512