Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:12
Static task
static1
Behavioral task
behavioral1
Sample
366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
366695391a81f369fbfc02db1b56ba8d
-
SHA1
622e301f0fe40defa6f61e6da6b72f85268d91ac
-
SHA256
24b367fbfb01268cd2d04020562ad7d86b381bd67c00661c1b0a608d0bf8f7f5
-
SHA512
e8a4c3adbb0f998cefde55a78a1fb059285fa557956c22f3ebab0f6945c1cca8e77b6622fac914db258d4c701b2cc9a0e99111951a8095500df8e1effe54b20f
-
SSDEEP
24576:Q3nZqfbiADv6p7Zr6rt+UADi9fUC00zBfb53Q3pofcCeuHdlQ1lag/EdjFc:QSipFCtWTNG5g5okvuMIG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PHOTO.EXE366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation PHOTO.EXE Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 2.exe -
Executes dropped EXE 3 IoCs
Processes:
2.exeCCLEANER.EXEPHOTO.EXEpid process 944 2.exe 4352 CCLEANER.EXE 2476 PHOTO.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe upx behavioral2/memory/944-9-0x0000000000400000-0x00000000006D4000-memory.dmp upx behavioral2/memory/944-30-0x0000000000400000-0x00000000006D4000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
PHOTO.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings PHOTO.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid process 3980 mspaint.exe 3980 mspaint.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mspaint.exepid process 3980 mspaint.exe 3980 mspaint.exe 3980 mspaint.exe 3980 mspaint.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe2.exeCCLEANER.EXEPHOTO.EXEdescription pid process target process PID 4800 wrote to memory of 944 4800 366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe 2.exe PID 4800 wrote to memory of 944 4800 366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe 2.exe PID 4800 wrote to memory of 944 4800 366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe 2.exe PID 944 wrote to memory of 4352 944 2.exe CCLEANER.EXE PID 944 wrote to memory of 4352 944 2.exe CCLEANER.EXE PID 944 wrote to memory of 4352 944 2.exe CCLEANER.EXE PID 4352 wrote to memory of 3936 4352 CCLEANER.EXE pcaui.exe PID 4352 wrote to memory of 3936 4352 CCLEANER.EXE pcaui.exe PID 944 wrote to memory of 2476 944 2.exe PHOTO.EXE PID 944 wrote to memory of 2476 944 2.exe PHOTO.EXE PID 944 wrote to memory of 2476 944 2.exe PHOTO.EXE PID 2476 wrote to memory of 3980 2476 PHOTO.EXE mspaint.exe PID 2476 wrote to memory of 3980 2476 PHOTO.EXE mspaint.exe PID 2476 wrote to memory of 3980 2476 PHOTO.EXE mspaint.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\366695391a81f369fbfc02db1b56ba8d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\CCLEANER.EXE"C:\Users\Admin\AppData\Local\Temp\CCLEANER.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\system32\pcaui.exe"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {22bfeed6-cb41-4fe3-9e7b-fab443ef9e19} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\CCLEANER.EXE"4⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\PHOTO.EXE"C:\Users\Admin\AppData\Local\Temp\PHOTO.EXE"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\photo.bmp"4⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5fb3454a3a2ca33aed9b12a0dde847eb9
SHA17a8e9d92b4fcc72f2cd33d5deda45f0dbb76a647
SHA256a5bf5244b6e8fafafba04a453265e265c9adcb93d7a9453a6bf93b1d366ed5cd
SHA5121c4546d87ebd29dff5357d3bbe7bcf870e7b5722262804ea1013a3638eeea8c904ab924fd31d9289203e60821d2af7053021c090f209a824b96f3cb6a7da8405
-
Filesize
118KB
MD5f29cafd37cda63dff66e6d4913f311f6
SHA16b01b69dda24f94c8124df36939a424515fb8be1
SHA25641dbf8b714e715be4516d51f564e5cfa3e966547fed89a7269413b2491ad9361
SHA5121055f1d6934a2805a8a3a363545f18c2c77b9d1d90605eb5eeadb5685441ab213316323ac217360e5fd845acebf84d6d23a78f296c11516c18ab684fe1b12350
-
Filesize
1.2MB
MD5ab88930956d332bea23524a75797b5e5
SHA18983d1f6cda43eb11525385f4ad7aa0b6d4592b1
SHA256757389282387c07460337689f89b842443fc0a2e600fb8db5e0466631c7c9927
SHA5124b2280530df8bbbfaa6d1ce810f9600873d8cef6aef5c212d7e59f5d0ec338eb3450b6be6feab5472c06bdd6331b9c3547aa69fb890300fca177821a9701f7ca
-
Filesize
732KB
MD514de31e2cfb63ae268ec860f075543d3
SHA14e0f17eb4f20a69df38bd73c1bb2bd727c34f05b
SHA256c509abcf024b5624d76662236b3a93d4ac3a03d782df9a4b5126626674b5bcc6
SHA512f29b362abb92ddcf690bcd1318d83f83fc06eef383f4687450e4e36fd438d549c4b6d4e290bdb5ca0ec1a02364a15fbf5db39e64251de9f34021bf2feea5d53d