Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 09:06
Behavioral task
behavioral1
Sample
1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe
-
Size
782KB
-
MD5
1ab50a64b28eb24c4ba25cce1e4a10b3
-
SHA1
97e6fc6e2d7a39c54b07ccb2b7398d73ba287eba
-
SHA256
2f61675e9ea414fbad8c9f174b0318acc0e968d31cfdbc8f69443ec234a9c495
-
SHA512
00702a4917dc61c3c9882b88380462326a6abf571081d52bf3ae0679e2adaed84d2906dc63507e87485360f001406fc692da3391851d2c4371b4020877865a49
-
SSDEEP
12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c10:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8F
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation ruifw.exe -
Executes dropped EXE 2 IoCs
pid Process 2676 ruifw.exe 1880 enenh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe 1880 enenh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1880 enenh.exe Token: SeIncBasePriorityPrivilege 1880 enenh.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3876 wrote to memory of 2676 3876 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 86 PID 3876 wrote to memory of 2676 3876 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 86 PID 3876 wrote to memory of 2676 3876 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 86 PID 3876 wrote to memory of 2548 3876 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 87 PID 3876 wrote to memory of 2548 3876 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 87 PID 3876 wrote to memory of 2548 3876 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 87 PID 2676 wrote to memory of 1880 2676 ruifw.exe 100 PID 2676 wrote to memory of 1880 2676 ruifw.exe 100 PID 2676 wrote to memory of 1880 2676 ruifw.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\ruifw.exe"C:\Users\Admin\AppData\Local\Temp\ruifw.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\enenh.exe"C:\Users\Admin\AppData\Local\Temp\enenh.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD50bafbfab87bed5a68670dccfce80ec2a
SHA159941ca8fb894dab95292ae3068e393228101c5c
SHA2560a7200da2766b3ed8bb8b1a34a3750f8fead7b4ef4cc335a8c41ba8eee51de21
SHA512b605df17f2d30b7d807c6e0fbcbcc23d6681277e566aa776f6b47b118967ce7094de7e1684a96db35c7929d4d5028aae4697ef3fa1f9d46bac360a185dfa8a35
-
Filesize
156KB
MD5700c1bf7323086517042e1bd399735bc
SHA19359d877f5491e5bad533813b2fc7bb27c69c4c2
SHA256c3a4a53898de8778627abbef3c0f53ce773aa4f23f589db3e9bb04dbf4adbfd6
SHA5123bbf7ad8377b6005fafbc5013ad9a69d91346f821ea18125904555a672a4966e1efefdff71112f8b623046685dc00ab30ff34dab48dcc051e0f7b83082f16a85
-
Filesize
512B
MD53909f8cbee226433e7a430d0e671fe11
SHA19394c08b04202ae410e31d0773a42bd86f655471
SHA256c8ec038345b065a9e59e00c02e106cab52fcc37da89e338753ed2232f62dba2d
SHA512128b0d9553a1a38ddabbb5390f50e8a2a13b3e45ace056bcab70e6c098119af7d851c2a4723c6509bd22db91468cfa805b8d7d5dc43bc373b28155ceda84252f
-
Filesize
782KB
MD54d71d2d452d3740c5cb715e871cabe5a
SHA1dcb0728c44f36809010b16e7abf1a720da7ab5be
SHA25678161e577d76aa4253ff4323c844da11497daa302a9ec0789f87e56d9206876d
SHA512d71cc39bde6ba8f2ef40a47b40f32984bd54d67bb4047e20ba51cf6ea5d2682f3d4f3721d54a42a6dec2ae307522e72122d8700e1c3f7094620290dd08cd735a