Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 01:49
Static task
static1
Behavioral task
behavioral1
Sample
a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe
-
Size
411KB
-
MD5
a79df0b5df8c0b4a0185d28c0f16a910
-
SHA1
bf1423309404fb3c9a58ee9f7c62f8da564e0a34
-
SHA256
88589ff9df936baabc4d0c837069c30507ca0dfe519fb296fe97073f11551810
-
SHA512
3fdbcf5fa8d669ae86138f5bd3eac1f17773f3b440a5e27a6d2f659de223bff5f549044b173d6780eb67cfeadd6233cd8203169264313fa3a545dbcfc2700bae
-
SSDEEP
12288:Y3nZMhJ+ubNJWn8qa/NxK4kbnOmcNirl7:Y3nZqfbvWnA/Rc7zV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exeWScript.exefile.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 3 IoCs
Processes:
file.exejj2o5.exejj2o5.exepid process 436 file.exe 4936 jj2o5.exe 4944 jj2o5.exe -
Processes:
resource yara_rule behavioral2/memory/4840-21-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/4840-22-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/4840-23-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/4840-24-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/4944-30-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4840-32-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/4944-34-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4944-35-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4944-36-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4944-37-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4944-38-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4944-41-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/4944-42-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
jj2o5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AudioD = "C:\\Users\\Admin\\AppData\\Roaming\\5bj1o\\jj2o5.exe" jj2o5.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
jj2o5.execsc.exedescription pid process target process PID 4936 set thread context of 4840 4936 jj2o5.exe csc.exe PID 4840 set thread context of 4944 4840 csc.exe jj2o5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
csc.exepid process 4840 csc.exe 4840 csc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jj2o5.exepid process 4944 jj2o5.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exeWScript.exefile.exejj2o5.execsc.exedescription pid process target process PID 3140 wrote to memory of 4208 3140 a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe WScript.exe PID 3140 wrote to memory of 4208 3140 a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe WScript.exe PID 3140 wrote to memory of 4208 3140 a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe WScript.exe PID 4208 wrote to memory of 436 4208 WScript.exe file.exe PID 4208 wrote to memory of 436 4208 WScript.exe file.exe PID 4208 wrote to memory of 436 4208 WScript.exe file.exe PID 436 wrote to memory of 4936 436 file.exe jj2o5.exe PID 436 wrote to memory of 4936 436 file.exe jj2o5.exe PID 436 wrote to memory of 4936 436 file.exe jj2o5.exe PID 4936 wrote to memory of 4840 4936 jj2o5.exe csc.exe PID 4936 wrote to memory of 4840 4936 jj2o5.exe csc.exe PID 4936 wrote to memory of 4840 4936 jj2o5.exe csc.exe PID 4936 wrote to memory of 4840 4936 jj2o5.exe csc.exe PID 4936 wrote to memory of 4840 4936 jj2o5.exe csc.exe PID 4936 wrote to memory of 4840 4936 jj2o5.exe csc.exe PID 4936 wrote to memory of 4840 4936 jj2o5.exe csc.exe PID 4936 wrote to memory of 4840 4936 jj2o5.exe csc.exe PID 4840 wrote to memory of 4944 4840 csc.exe jj2o5.exe PID 4840 wrote to memory of 4944 4840 csc.exe jj2o5.exe PID 4840 wrote to memory of 4944 4840 csc.exe jj2o5.exe PID 4840 wrote to memory of 4944 4840 csc.exe jj2o5.exe PID 4840 wrote to memory of 4944 4840 csc.exe jj2o5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\5bj1o\21mso.vbs" s9n8atdb726m22yu9djgd2dq94aibruejymwcr3duz8cv2yuvzaf0yvvtonhmqko7tsf2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\5bj1o\file.exe"C:\Users\Admin\5bj1o\file.exe" -p12343⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe"C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe" s9n8atdb726m22yu9djgd2dq94aibruejymwcr3duz8cv2yuvzaf0yvvtonhmqko7tsf4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe"C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4944
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91B
MD52dbda1ae2282f1b9efbf2d765c52dd0c
SHA1f182e2d4ee60088fbc22e2c0c647ef75304e6d42
SHA256ffb5a9e68035a2c477f197468762093d45aeae71ca6d868abca045f9eda8a578
SHA512bf2f3fc7e3e8b301ef049a74b7206d4729c427a802d0015e446c49fd866728d4fb0da8aa9989ec500d4885b67af021c247cd78a596185a5882252988a22dbc39
-
Filesize
352KB
MD5fca6394ebe877f9cc47c74e8f3ffa0b5
SHA14165e2f428aab58dc41dd73f26162aaea96cf5b2
SHA2566654d8fd7b3f09059b3bb90a2849e829247231e40de778a7a3427ecef7c9da95
SHA512b3b2a0f72c40038a9f4d67e7fd313df27387e817b1d118e5a0eaa522b2e22505d64f5152d7ef766a69a84829d340ad008f0b080f0fc363ef435192faa5dc3f34
-
Filesize
42KB
MD5ea91e005c6920683a4526839f7745482
SHA1432058655709f00958f287b6413ed5750ff69577
SHA2568be60bfbca8d12da042e25fb2254bd7aa3e13516a3df62faf3b1ed9c3340e449
SHA512971903238c0272ee5a540a34807f0d6b44ecb582e3e0d216b9e8579a2f37e934dde86109815353d62f66373575f3a788166d7d8798b3fb2b5df07fb60c1c16bc
-
Filesize
529KB
MD538bed34868d64ba9f4a11d3e763539a0
SHA1edb562a987a4f0d73cb80606527d46412ea63a0b
SHA256897e6a82490cd866b0a256c4a73bd685d4c4afd3187587bb89c082a9ebe18c52
SHA5126966b8a7114254faf37c383f7e0122011afa0fb67d8d140137e19b812e5f56d5418910f2731343a70612d4527f8e60f9272f70e512cd2b7e54f8555641265f1d