Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 03:04
Static task
static1
Behavioral task
behavioral1
Sample
47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe
-
Size
493KB
-
MD5
47f13cf60a4f1d02784afc85702bedba
-
SHA1
9a462b0f2e888645e4bde83391da0eb333db34e0
-
SHA256
a1eef8a5a7b1640d2f161a67563766b6dd899f1ada93426c1fc1e2e599323f18
-
SHA512
d26cccbc1fa16fb54b323f8e560f31cf707d1bc4104fa9f3485e2b854a5ced5d9045a706aef082f2ca2227960306940f4aaf623d628129e72f7c5cbf7d0cb914
-
SSDEEP
6144:/sShZWyrW/gR4nsnDYdCzxyn1Nmrf2mzq46uyIuKmL03yNH6AYdzlRx1edQRX6YL:/anskwzYn1YTHpIzKmgih65udQhQ0kc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sizengb5.vi0.exe -
Executes dropped EXE 2 IoCs
pid Process 4460 sizengb5.vi0.exe 2156 winlog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlog.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlog.exe" winlog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ sizengb5.vi0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4996 wrote to memory of 4460 4996 47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe 88 PID 4996 wrote to memory of 4460 4996 47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe 88 PID 4996 wrote to memory of 4460 4996 47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe 88 PID 4460 wrote to memory of 2156 4460 sizengb5.vi0.exe 89 PID 4460 wrote to memory of 2156 4460 sizengb5.vi0.exe 89 PID 4460 wrote to memory of 2156 4460 sizengb5.vi0.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\sizengb5.vi0.exe"C:\Users\Admin\AppData\Local\Temp\sizengb5.vi0.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2156
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD5a142e11261041cbb97bf9a6848423ee4
SHA1f932c93eaeed6d104af232e99442ead254fa4352
SHA25654231a7fd587a624c08166605b733fed6e4d1a9861e599fba6619bb6583103b6
SHA51206ad01c2696aef16dcb7effd4df1bd72c7610845464ca7eec93f1b8de86a0a84d299d4fd0ff709142e98680770450d2b0f1e22c574a6014a608c1b5e4879e1df