Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 13:25
Static task
static1
Behavioral task
behavioral1
Sample
0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe
-
Size
820KB
-
MD5
0666dc953174e2532fc7e2c6a619ed29
-
SHA1
64570ae1f41a4c8792f31718194c06eeda3af0d1
-
SHA256
c4b744bc109c8d0330442c880cbbd78f4845a3bb72e3f1bf377331230d47ff85
-
SHA512
82d0ebf649597978c197b83651d2eea7210f435724d4a12066052d9117bd40af21645b9f95a5b3cf081fff2b399caeda903e1ab0781c4129a9cfe9b6a1a4ba2c
-
SSDEEP
24576:UcnflP/yxRdg1n7MP+h202fVmEUaFdt/6nu4ucDdw3xbkE:XlP/yt6o+2M7MtCuadw3iE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4200 Master Of The Voice1.7.exe 3712 loader.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Outlook Express\SYSTEM.EXE loader.exe File opened for modification C:\Program Files\Outlook Express\SYSTEM.EXE loader.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Mole.Mol loader.exe File created C:\Windows\Mole.dll loader.exe File created C:\Windows\Mole.Mol loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Master Of The Voice1.7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Master Of The Voice1.7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Master Of The Voice1.7.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4200 Master Of The Voice1.7.exe 4200 Master Of The Voice1.7.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2976 wrote to memory of 4200 2976 0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe 82 PID 2976 wrote to memory of 4200 2976 0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe 82 PID 2976 wrote to memory of 4200 2976 0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe 82 PID 2976 wrote to memory of 3712 2976 0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe 83 PID 2976 wrote to memory of 3712 2976 0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe 83 PID 2976 wrote to memory of 3712 2976 0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe 83 PID 3712 wrote to memory of 4648 3712 loader.exe 87 PID 3712 wrote to memory of 4648 3712 loader.exe 87 PID 3712 wrote to memory of 4648 3712 loader.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\Master Of The Voice1.7.exe"C:\Users\Admin\AppData\Local\Temp\Master Of The Voice1.7.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Deleteme.bat3⤵PID:4648
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132B
MD586b553fba6309de0e4ad6dd0b6b7361d
SHA14a26abf7ab216bed7ebbe5b6562a88b19f3e73b7
SHA25639c3919c39670fda6ddfefa7323260e1609339aacc97fe51b1578b5ea7148e75
SHA512ec1310a515b591157ec152e23f93dd591419d74df5655e49a26346102664c3ff17efa8eeb617d311bb29dd76c4c5972f4f0d74e7b33ef90f23959dcf48ea99ab
-
Filesize
375KB
MD5de5b0dd3a16c1ec9cf307f13525b6657
SHA15be01b92fa813f51306e08d472b42e8c62c3637c
SHA25669ba7530c540c915a71c444af52104351f00aaddd779d95891f2dacc0f30a3a8
SHA512f6498838cf97f77fb180964e8a26221dbf96df68415053a2a3edc550db94f01bdae37f9e6e368be3ee423184984b585d8fb8eb90a2d547185a1fc269264b11ac
-
Filesize
350KB
MD55564293354d9d684d6a2bfbc9be54e5b
SHA172b56c9ec3ac1c7c9011f7d02bf9c5a7517f3b19
SHA256c9291e111b15370a6546ce5e0848018b4ce15a1a277197e3b5a73389508f06cd
SHA512f5cd649482ff56babe138350efbc31b18e7270fb32ee286eb9bf60d3025099ad059dbfb85347a6a60fc87eb07339605e53e5c93af1784baa5f4c4617cd9aeb2c