Analysis
-
max time kernel
93s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 09:56
Behavioral task
behavioral1
Sample
3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe
-
Size
124KB
-
MD5
3ce6e5720ab4610bb462ce58fe76e57c
-
SHA1
ce7ba66b8d45b70237a3068a2038b40234c1de30
-
SHA256
fba0947126aa9510732433e1b123de6b2e83a6d8b58ad6a25c2b733e8bb9e3b4
-
SHA512
b270ff0b2039e8b64b5f646d2a436e06d2cd7b14781c3fec6234c131548b2dd97911b26ecc4b7d5830722a319e15bbc8f3f9cf2f732b4723877df49bc9208a7b
-
SSDEEP
1536:8J7BjaqfcaIPaYcH8qJCDXL6+MoG7jM8XQQrHdA0WiCWROvN3rqUuznlCl:wjJIPaYccvQV735rHdAQVyNbMz4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/2680-0-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2680 wrote to memory of 5032 2680 3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe 86 PID 2680 wrote to memory of 5032 2680 3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe 86 PID 2680 wrote to memory of 5032 2680 3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ce6e5720ab4610bb462ce58fe76e57c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Gkz..bat" > nul 2> nul2⤵PID:5032
-
Network
-
Remote address:8.8.8.8:53Requestclickbank.comIN AResponseclickbank.comIN A35.237.37.107
-
Remote address:8.8.8.8:53Requestxinhuanet.comIN AResponsexinhuanet.comIN CNAMExinhuanet.com.bsgslb.cnxinhuanet.com.bsgslb.cnIN CNAMEzgovweb.v.bsgslb.cnzgovweb.v.bsgslb.cnIN A104.166.169.130zgovweb.v.bsgslb.cnIN A104.166.169.132zgovweb.v.bsgslb.cnIN A38.175.44.11zgovweb.v.bsgslb.cnIN A38.175.44.12
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestpurelandfilms.inIN AResponse
-
Remote address:8.8.8.8:53Requestoomiaonline.inIN AResponse
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
59 B 75 B 1 1
DNS Request
clickbank.com
DNS Response
35.237.37.107
-
59 B 184 B 1 1
DNS Request
xinhuanet.com
DNS Response
104.166.169.130104.166.169.13238.175.44.1138.175.44.12
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
62 B 115 B 1 1
DNS Request
purelandfilms.in
-
60 B 113 B 1 1
DNS Request
oomiaonline.in
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238B
MD5b07d45a94b10c60177d9fc88bafa479b
SHA11eeace587721f3f17315b047175a99201ace54a3
SHA25611aad2488bd3189af444300c5ad26a461e664d6ab32a6aed01f685590a9d1829
SHA5125d085bfb07d62cefda319b736b80c1b3437dc6a6fdc4dd465e30155d92607609c75dd53a0cfa490d8b9c58bdbe54da6dcfadf37010bbfeb49e8c7de8770fb78f