Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:13
Static task
static1
Behavioral task
behavioral1
Sample
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
366774662ccbe5b67de997b980c250f8
-
SHA1
7602d334fe709c484d07011334a08801c70b4015
-
SHA256
c2a4cd5a5e655f16ead7aebff8ada0a1e67cff54d4a1be1d07816cbf3aba5563
-
SHA512
6b2098208a6af2bdced31a7a143d753b3f31b65cace33e3533da2b1ea1c06197d22a697934d62329fa5b12eeb876979198305f70ce46d7d57fcc429962d87208
-
SSDEEP
49152:hPmzRUWcCvItro4EfcOPzePmzRUWcCvItro4Efc1PzqPN:hPmzRT14szePmzRT14VzqPN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
thuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exe366774662ccbe5b67de997b980c250f8_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation thuder.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation thuder.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation thuder.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation thuder.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation thuder.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation thuder.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation thuder.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe -
Executes dropped EXE 8 IoCs
Processes:
thuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exepid process 1268 thuder.exe 2172 thuder.exe 4004 thuder.exe 4968 thuder.exe 244 thuder.exe 2044 thuder.exe 4424 thuder.exe 4024 thuder.exe -
Drops file in Program Files directory 11 IoCs
Processes:
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exedescription ioc process File created C:\Program Files\IIJFYP\thuder.chm 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe File created C:\Program Files\IIJFYP\thuder0.txt thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\366774662ccbe5b67de997b980c250f8_JaffaCakes118.txt 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe File created C:\Program Files\IIJFYP\thuder.exe 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe -
Drops file in Windows directory 1 IoCs
Processes:
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exedescription ioc process File created \??\c:\windows\win32.btl 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exedescription pid process target process PID 4260 wrote to memory of 2792 4260 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe NOTEPAD.EXE PID 4260 wrote to memory of 2792 4260 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe NOTEPAD.EXE PID 4260 wrote to memory of 2792 4260 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe NOTEPAD.EXE PID 4260 wrote to memory of 1268 4260 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe thuder.exe PID 4260 wrote to memory of 1268 4260 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe thuder.exe PID 4260 wrote to memory of 1268 4260 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe thuder.exe PID 1268 wrote to memory of 2172 1268 thuder.exe thuder.exe PID 1268 wrote to memory of 2172 1268 thuder.exe thuder.exe PID 1268 wrote to memory of 2172 1268 thuder.exe thuder.exe PID 2172 wrote to memory of 4004 2172 thuder.exe thuder.exe PID 2172 wrote to memory of 4004 2172 thuder.exe thuder.exe PID 2172 wrote to memory of 4004 2172 thuder.exe thuder.exe PID 4004 wrote to memory of 4968 4004 thuder.exe thuder.exe PID 4004 wrote to memory of 4968 4004 thuder.exe thuder.exe PID 4004 wrote to memory of 4968 4004 thuder.exe thuder.exe PID 4968 wrote to memory of 244 4968 thuder.exe thuder.exe PID 4968 wrote to memory of 244 4968 thuder.exe thuder.exe PID 4968 wrote to memory of 244 4968 thuder.exe thuder.exe PID 244 wrote to memory of 2044 244 thuder.exe thuder.exe PID 244 wrote to memory of 2044 244 thuder.exe thuder.exe PID 244 wrote to memory of 2044 244 thuder.exe thuder.exe PID 2044 wrote to memory of 4424 2044 thuder.exe thuder.exe PID 2044 wrote to memory of 4424 2044 thuder.exe thuder.exe PID 2044 wrote to memory of 4424 2044 thuder.exe thuder.exe PID 4424 wrote to memory of 4024 4424 thuder.exe thuder.exe PID 4424 wrote to memory of 4024 4424 thuder.exe thuder.exe PID 4424 wrote to memory of 4024 4424 thuder.exe thuder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\IIJFYP\366774662ccbe5b67de997b980c250f8_JaffaCakes118.txt2⤵PID:2792
-
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123453⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123454⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123455⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123456⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123457⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123458⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123459⤵
- Executes dropped EXE
PID:4024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c96c8be3ef0884f3237c3e054ad7de0a
SHA12cc4f836ceaf5d2d7d70381f8fdb636a09c0ba6b
SHA25627f45d03e0334b665ae03dc1d6fa3220e3ec35f64cb93b5f0589bb5c0f40896d
SHA512a909dfab5146bd08c67ded7a83f00c7db26945fa3203cb35c2041f8c857a75c30533e9f4a4cda6ea14629c36d6c8f404c4c5eb19cd4a863f79544c92ed944601
-
Filesize
133B
MD5314417833b0d327beccab7cb68cd4f7c
SHA1f6bed9edc9ed8e9ff928194670f5ec3eda2763e3
SHA25637ed866abc19465aa2172d651bbd3ffe2836add54ba3065ff7189f1a75410d9f
SHA512c8645c0528d9b7309b2d6870f8250384654db64fc605667aabdc26d8429a1d03d3306a3082b22afff395d2e1669317dee96f9c6dd839ca440283cb2fe1a223ff
-
Filesize
44B
MD53d318935b134cd593c7f1bffcd33cf7c
SHA1b17f1aa31f21549301522c91ce62aa3ef5dcfbfe
SHA25630e72fa5bf5971466907df1b86b42fb95f718b3e8e2995c084ac9921462f594a
SHA512c1da00c13f2928bd434189f0b28b3c28190561113f20375259a16e06376ed5b464e316e1cc040ac04a841c84d198e66aeeea9d44dfa945faf542103a96e2bfb9
-
Filesize
5.7MB
MD5d0dc1521a5e01a77be3ddc598f7a4dc0
SHA18bd21d44a0d39347c968a83e567c0735f7f16884
SHA25650b4f5ff89d4f4435e5b7a1c0160a103b79f36b1e041ea64df38b4a630675b91
SHA5129c650a25ee04870cca20beaa9f97578b15d28754b3b2eaa8e9827459681cad524ce63a3acafec722ec73da1d974c5d52f1bbbcb2db6ad276b4d3538deb4e20d3
-
Filesize
10B
MD5f4e47a838b81b7346e76811b5431f261
SHA1eeeaf040d7d3a99249fe29d4dc787ebc8b4ab59b
SHA2568882f36e2393a0a290a1610e204896695a2b5856d4e7bfb3bc7c7bebfbd468df
SHA512e757f554be3e05f45f2adb0bb98ee7d6f71a80a198f340ff752544717a2ad0bdb59e80bc264b4d281ec1db4c982bd8ebc5afeb4602b07d63f498fcf21c70128d