Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 12:10
Static task
static1
Behavioral task
behavioral1
Sample
225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe
-
Size
440KB
-
MD5
225afa7e2a39abb395ab610a888f2bd5
-
SHA1
b148905c142b5071babdfe9cf8263cf7d9c8bc72
-
SHA256
31bb10fc6a6daf6516f02d7f9ebdf24434575947a5e7ad85b7b16a972dbe0cc8
-
SHA512
ada2717430d88b95f281f1267e86d445730836132c44324418ded95a97e0a4cc1c795fa25ce2b6f305c4efdb998a911001e4df71188406253afbf318a9e5ff8b
-
SSDEEP
6144:dZuuObR8sVImcyYAHVnuSmJgaDRvBv1sI4fVLdW3WJaz+2HNd62wiWrFuC6VHp:iV+mz5VY5Bv1sldIkBpiVPJp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2116 MSN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3716 2116 WerFault.exe 82 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2116 MSN.exe 2116 MSN.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2116 2368 225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe 82 PID 2368 wrote to memory of 2116 2368 225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe 82 PID 2368 wrote to memory of 2116 2368 225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\225afa7e2a39abb395ab610a888f2bd5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\MSN.exe"C:\MSN.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 5163⤵
- Program crash
PID:3716
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2116 -ip 21161⤵PID:1960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
283KB
MD5ff808f958e34ec3736fd8af03b62f67a
SHA1c7c3a477e6262701f3c95a167844f2e7fae80711
SHA2561bb759f0e2aee5670e5b8195736bab59f7d212bbaad745430f01c746b6b815e5
SHA512dfe9adf4b34ee754b0c765e14445d74cba0396cd45c3fb05652ab91bc2a9e90a39480c31309b4be1752528f53a6dd74f7780a94183fe1abc3ecb4ae4d66f8ecc