Resubmissions
06-07-2024 06:07
240706-gvgcnazhrf 10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 06:07
Static task
static1
Behavioral task
behavioral1
Sample
277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
277f441499c1fb9ddf4d462c3b443b9e
-
SHA1
5cf5da3598e4cf139f6e6ffb9a4d32e49ac9321a
-
SHA256
05263375ffe64e8586c78e8e435007bff1f2a42684d48378eee68c07ba54a80e
-
SHA512
0ce74ab987eaf7371f79c22afcc16e319781ee7a7fcdcd995fff402788fbaa0e132df529db6e804549556f332ad8d8828e48b7ca8b27a7da22feadc21c09f871
-
SSDEEP
98304:pKHcMsDndy6iiHrjZE2/mkCUGP18szyTJr:w8dDlNLjpmkC/18ouJr
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 3312 install.exe 2756 irsetup.exe 1368 Jerm's.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine Jerm's.exe -
resource yara_rule behavioral2/files/0x0008000000023487-17.dat themida behavioral2/memory/1368-27-0x0000000000400000-0x00000000007BD000-memory.dmp themida -
resource yara_rule behavioral2/files/0x0007000000023489-20.dat upx behavioral2/memory/2756-21-0x0000000000400000-0x0000000000527000-memory.dmp upx behavioral2/memory/2756-34-0x0000000000400000-0x0000000000527000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Easy Rapidshare Points Setup Log.txt irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2756 irsetup.exe 2756 irsetup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2908 wrote to memory of 3312 2908 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 85 PID 2908 wrote to memory of 3312 2908 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 85 PID 2908 wrote to memory of 3312 2908 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 85 PID 3312 wrote to memory of 2756 3312 install.exe 86 PID 3312 wrote to memory of 2756 3312 install.exe 86 PID 3312 wrote to memory of 2756 3312 install.exe 86 PID 2908 wrote to memory of 1368 2908 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 87 PID 2908 wrote to memory of 1368 2908 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 87 PID 2908 wrote to memory of 1368 2908 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
-
C:\Users\Admin\AppData\Local\Temp\Jerm's.exe"C:\Users\Admin\AppData\Local\Temp\Jerm's.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
PID:1368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD584579454f55893badae4774a5ba1e3e5
SHA1b06fc13d8d1cbd1ac6d8ffe06fbe08383424490c
SHA25628053322a4bf87685897135790d15d4f1dffb26055e70a949f8a66ae3e72dcf1
SHA51282fdadf376459fa6e9fabe322e76ea356ecdad00cf05a037ff703038285715ea0cf8439f30117c3d61fa7f6a04238b4e0c4f7497357b8c450b46d05899c88c16
-
Filesize
440KB
MD575ca7ff96bf5a316c3af2de6a412bd54
SHA10a093950790ff0dddff6f5f29c6b02c10997e0c5
SHA256d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1
SHA512b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4
-
Filesize
2.8MB
MD521668854182822616124c714c5cb9c50
SHA10316c84cc63015398d7e8bd970099f80e8a1be3b
SHA2562a9662c3c2af7916419a306d86b4b7fe82f87e3f770336c926cf40dfd5f088ef
SHA5127b540a1b18eb9b9561fda051b78976ddcee4885be46deee5eccfbdd460159bca18b99a14164af16110cd736ba16e116d10d25a2871a6aadd31e8ffd69f631c29