Analysis
-
max time kernel
141s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 00:37
Static task
static1
Behavioral task
behavioral1
Sample
05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe
-
Size
436KB
-
MD5
05b32f60f010cfbb382be1e0cfe76902
-
SHA1
45b5c2c71ddd2b525151c4b105baa8429e6d3b73
-
SHA256
cd8c01a3ba706d486f66da5bf7a9372328547d0800d76bebb0effbe79fd6b0c6
-
SHA512
8fb301d6bba8b83eec458c565732f1511c323cd985d495c85a44fef051c5716c2cba52eddfb923b60ffad2f2b55b4db045b89d62bc6cab15193aff0e2aeb7851
-
SSDEEP
3072:21bNhC7NXnSxEBo3GGtPFoncW4DkM4BG1KR1S8i+nwUqeq19MTSkUZ3TAusxT0b1:21qhaGGJTkM4BS94SFaut18XbpH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4112 QmlNu.exe.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum QmlNu.exe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 QmlNu.exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4112 QmlNu.exe.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4284 wrote to memory of 4112 4284 05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe 83 PID 4284 wrote to memory of 4112 4284 05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe 83 PID 4284 wrote to memory of 4112 4284 05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05b32f60f010cfbb382be1e0cfe76902_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\QmlNu.exe.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\QmlNu.exe.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
PID:4112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5576d8b51266fc80d4468dd04665014b7
SHA16f71248422091b6d9eb3077483f239cf23c197e8
SHA25617163d436c79b67d8ee6de61c474537ec1a9a991690303d5af2c4ff669f3dbe9
SHA51290effcf85a26effee9a30997b5da9889b4cefd143bdb607a3070ffe5635ecb88b83462921d6687ed478a3f55dffc10a2b55f8053ace18c8b3d90686d78ec6b10