Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2024, 09:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4dada77862cde6792f67fd1dfb4c8954_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4dada77862cde6792f67fd1dfb4c8954_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
4dada77862cde6792f67fd1dfb4c8954_JaffaCakes118.exe
-
Size
56KB
-
MD5
4dada77862cde6792f67fd1dfb4c8954
-
SHA1
5058cf63e61d546072f6ecf98f78cd42bf9670f3
-
SHA256
4e7bc884ef54151ba83f767fd57ddd85abf93606e3af3e254650656339f1b467
-
SHA512
4475c9e60bc4271b2aba34c7317a12755e26f89ce319860976ba1b8170f51d88d8bc05e2e7db8a2a5a9d1b94003fde3159439189a121c3d2f2eef8d6295257b5
-
SSDEEP
768:hVHVPNP55Io86sf0mq/6/Q/9NF0+LEc8af3ts0E9V:hJPMoGq2oS+Ljb3ts0E9V
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jsneq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 4dada77862cde6792f67fd1dfb4c8954_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2412 jsneq.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsneq = "C:\\Users\\Admin\\jsneq.exe" jsneq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe 2412 jsneq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1644 4dada77862cde6792f67fd1dfb4c8954_JaffaCakes118.exe 2412 jsneq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2412 1644 4dada77862cde6792f67fd1dfb4c8954_JaffaCakes118.exe 86 PID 1644 wrote to memory of 2412 1644 4dada77862cde6792f67fd1dfb4c8954_JaffaCakes118.exe 86 PID 1644 wrote to memory of 2412 1644 4dada77862cde6792f67fd1dfb4c8954_JaffaCakes118.exe 86 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82 PID 2412 wrote to memory of 1644 2412 jsneq.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dada77862cde6792f67fd1dfb4c8954_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4dada77862cde6792f67fd1dfb4c8954_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\jsneq.exe"C:\Users\Admin\jsneq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5528553478a7aac10868924e16b72f291
SHA1f858ff73f4c9ba74470d01c2b956b81d16c2b18a
SHA256365dffc3a187c3b973c1b8edac71bd0a8eebfc36f3642c9666f07eacd8169ff0
SHA512a5988d5a6601f0693f7bb0c9ade04faa703d7d27a8a9d12f8e421759fdd8b7ac3b5f8305c1a0275a32de668b733f578979450e7fad0bd6614c587d38a9aeb7e2