Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 07:31
Static task
static1
Behavioral task
behavioral1
Sample
040bded562ad5fc4416c9125cd1c5435_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
040bded562ad5fc4416c9125cd1c5435_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
040bded562ad5fc4416c9125cd1c5435_JaffaCakes118.exe
-
Size
29KB
-
MD5
040bded562ad5fc4416c9125cd1c5435
-
SHA1
ff3b56c3656e4913aaa21b92737f277f68409120
-
SHA256
4f6d62ea685160a59b9b88331ab90c3776266efd217db6188a4728f8f0824def
-
SHA512
2fc682f3939d9468cb41f7783fa8ca53548e19be7b2dd45c46ff5dfd3dfa6fb9b802fcc973fc3d5da3d797a54bbf4fa6264533db316ae8cd8bc76b1bd44cfbf7
-
SSDEEP
768:SFh7eVzWiadP5ps9EK1bBn+rGYOi44KIjUbcGG24:vVTwxaX46pbcGGp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 040bded562ad5fc4416c9125cd1c5435_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2660 Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2660 Server.exe 2660 Server.exe 2660 Server.exe 2660 Server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2660 2540 040bded562ad5fc4416c9125cd1c5435_JaffaCakes118.exe 82 PID 2540 wrote to memory of 2660 2540 040bded562ad5fc4416c9125cd1c5435_JaffaCakes118.exe 82 PID 2540 wrote to memory of 2660 2540 040bded562ad5fc4416c9125cd1c5435_JaffaCakes118.exe 82 PID 2660 wrote to memory of 3488 2660 Server.exe 56 PID 2660 wrote to memory of 3488 2660 Server.exe 56 PID 2660 wrote to memory of 3488 2660 Server.exe 56 PID 2660 wrote to memory of 3488 2660 Server.exe 56 PID 2660 wrote to memory of 3488 2660 Server.exe 56 PID 2660 wrote to memory of 3488 2660 Server.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\040bded562ad5fc4416c9125cd1c5435_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\040bded562ad5fc4416c9125cd1c5435_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5fad6cfef8ddfa6e8e1c5660bdb7a8d7b
SHA1028cdc873c14dea53ea23bdfee53e98f28ebb90e
SHA2568cd57a0bcc44363fa1cd42badd36f6235bb3bbcc40a1efb7e19382b81dc6c7b5
SHA5123014d4377c2bcbc0d850b6a655d0bee5bc2245f1e358debb0d923331204c8f3f565e11116a87ac545296cd09c8e65648623af81526582080ab5e4ccfdc5fe844