Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2024, 05:17
Static task
static1
Behavioral task
behavioral1
Sample
4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe
-
Size
68KB
-
MD5
4cf07f0e00efc17fd43c685f2658c768
-
SHA1
87403314fa15b5b7c779d2b0131df6fb2958c994
-
SHA256
42984c7cc0d29d8f1c40aac517463c991f4b90e1cb196c822a57d492dc0f3665
-
SHA512
bdbb08a6442defcd15442b69e15d505defffd06743c5d7e6da868fb12e4acc35953a7fa7e14fc5aca4e6536e6495f91887e9744d19a2b4026512fc18ef3db395
-
SSDEEP
768:6y/Asc3Q8Y97tPgADzMgNVcBE7KN0rWGdv/qhjOK0oUW8AOktxd1IdGvnS93k/:UA8utPg0VcBEKN4WKKQK0opdOkLdiW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1944 iexplore.exe 3332 iexplore.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\iexplore.exe 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iexplore.exe 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1464 set thread context of 2084 1464 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 85 PID 1944 set thread context of 3332 1944 iexplore.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1432 3332 WerFault.exe 90 -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1464 wrote to memory of 2084 1464 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 85 PID 1464 wrote to memory of 2084 1464 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 85 PID 1464 wrote to memory of 2084 1464 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 85 PID 1464 wrote to memory of 2084 1464 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 85 PID 1464 wrote to memory of 2084 1464 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 85 PID 2084 wrote to memory of 3916 2084 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 87 PID 2084 wrote to memory of 3916 2084 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 87 PID 2084 wrote to memory of 3916 2084 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 87 PID 2084 wrote to memory of 1944 2084 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 88 PID 2084 wrote to memory of 1944 2084 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 88 PID 2084 wrote to memory of 1944 2084 4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe 88 PID 1944 wrote to memory of 3332 1944 iexplore.exe 90 PID 1944 wrote to memory of 3332 1944 iexplore.exe 90 PID 1944 wrote to memory of 3332 1944 iexplore.exe 90 PID 1944 wrote to memory of 3332 1944 iexplore.exe 90 PID 1944 wrote to memory of 3332 1944 iexplore.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\4cf07f0e00efc17fd43c685f2658c768_JaffaCakes118.exe2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ozbgbmrw.bat" "3⤵PID:3916
-
-
C:\Windows\SysWOW64\iexplore.exeC:\Windows\system32\iexplore.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\iexplore.exeC:\Windows\SysWOW64\iexplore.exe4⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 5725⤵
- Program crash
PID:1432
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3332 -ip 33321⤵PID:2204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244B
MD5ac3ce85c8e58419c33b99b11713f97ad
SHA10cd33506e1a8839902039892faf476a24de9dc48
SHA2567bafe5aac41ad21c1dc867344f4bf8ecae1174076688bbd55d1d9b8f3c4fe3a8
SHA512464628bc704a25f63b68d8206755cdc6624beca88f944466a26e9d34b00c249ea4bebcc41743fbb427aa5ec11950efe4b8bbd68261cf5330dc461fa7488745ba
-
Filesize
68KB
MD54cf07f0e00efc17fd43c685f2658c768
SHA187403314fa15b5b7c779d2b0131df6fb2958c994
SHA25642984c7cc0d29d8f1c40aac517463c991f4b90e1cb196c822a57d492dc0f3665
SHA512bdbb08a6442defcd15442b69e15d505defffd06743c5d7e6da868fb12e4acc35953a7fa7e14fc5aca4e6536e6495f91887e9744d19a2b4026512fc18ef3db395