Analysis
-
max time kernel
141s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19/06/2024, 23:48
Static task
static1
Behavioral task
behavioral1
Sample
014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe
-
Size
18.0MB
-
MD5
014267c35a941fe3f50b67f7cd44edb6
-
SHA1
04e94bbee3d2fee9ec4daa1971a71a210c5b58fe
-
SHA256
2edb727db62b8614c818795e7e4fe6172bc8cfd0461aa2c5c3f4c92700807cb7
-
SHA512
46aabe69f95774ee084bf770528c13f84597533dd4a03b4b3a2122e5566ade539a213b6e153199d2181ac76c2b8a55cb055799c5deed028ed796bbcea8cfab83
-
SSDEEP
393216:aeEtzp1bpgQp2DngoAB9eD0ldEM3WzM5TidGE/6m2QoCOJ25:aeEt11CQpyPAbXHj3WA5OdGE/6VQoCwy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5008 LimUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3940 wrote to memory of 5008 3940 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 92 PID 3940 wrote to memory of 5008 3940 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 92 PID 3940 wrote to memory of 5008 3940 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 92 PID 5008 wrote to memory of 3572 5008 LimUpdate.exe 95 PID 5008 wrote to memory of 3572 5008 LimUpdate.exe 95 PID 5008 wrote to memory of 3572 5008 LimUpdate.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\limpopograss\temp\LimUpdate.exe"C:\limpopograss\temp\LimUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EC15.tmp\LimUpdate.bat""3⤵PID:3572
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:81⤵PID:1272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4ef42402828909c0818a117e9511bfe
SHA141cbdd671b701f85f75e6ac0a862e20102617489
SHA25668f5149616ed2f648139cd104f5b3ceddf5be6774496141c9b67a9eadf81ef6b
SHA51299c3efdfdbbe0a915a657a3cfb1d130be5f9cae82358b087d41b00bdca73f5090ccd66e631d3ad4bd145c316e7ee9919ee7b8fbf80c35d30f6093c966b33289d
-
Filesize
25KB
MD5a20d9350f0eddf5ccdbc3cc408f96d9b
SHA12a05c8c9398885c947b5c4dd0dbe2fe5b1fccf5a
SHA2564c055e4fa5c324cd35cc180adbbf33b4ccbdaf106250a25a7244099c9822ca7c
SHA512d989d3cac2932e272dd948010e5db90c1887e6da5ba859a741b9f65c8da5f351fac2aae7e995f1049beec3a687a7649c6f4a1796f54219543b2d32413fda7233
-
Filesize
14KB
MD52e6038c0ec51bf9624ef0fcfa0099dae
SHA1aafbb5d3c72947476f87b77db02422982e9f5265
SHA2561b9bcd405fc22ef5bcc0bb965403e629016f992320585be8b77766a025825ae5
SHA512d00335845035db2fca9d4d179dffc069152cab9dc5a1104e71aad06883d486c55c2748e6985960ec73207159f97001b6635926a499d1a58e1ff871b1b56ded9d