Analysis
-
max time kernel
135s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 04:24
Static task
static1
Behavioral task
behavioral1
Sample
56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe
-
Size
133KB
-
MD5
56213a6487ab2bccbc59e7e87aabff95
-
SHA1
40748ef8241587c207311160e9d1115e0bb4c374
-
SHA256
4270d9f809d18daa8f77b828246d5d2130dcd899e20656cfe0bff05332db991e
-
SHA512
c8c60671d23ad59dc7dd7dd7f02ee6988904bc9d72a162ac68b2e9e43da8f7ca13ddc9d49e81686840ae2776ba1b8f37fddc3705c6d9f7a1acba9da871d5cc3d
-
SSDEEP
1536:FnTcqpP5uH0gP2r5zMiqCWQ6Q/GeFiIc7tnE0sPST6Q1:FnTcs5fxr5zMVwrwtnE0saD
Malware Config
Extracted
tofsee
64.20.54.234
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
eaxi.exeeaxi.exepid process 1144 eaxi.exe 4636 eaxi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\eaxi.exe\" /r" 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exeeaxi.exeeaxi.exedescription pid process target process PID 3352 set thread context of 2004 3352 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe PID 1144 set thread context of 4636 1144 eaxi.exe eaxi.exe PID 4636 set thread context of 3732 4636 eaxi.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3964 3732 WerFault.exe svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exepid process 3352 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exeeaxi.exeeaxi.exedescription pid process target process PID 3352 wrote to memory of 2004 3352 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe PID 3352 wrote to memory of 2004 3352 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe PID 3352 wrote to memory of 2004 3352 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe PID 3352 wrote to memory of 2004 3352 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe PID 3352 wrote to memory of 2004 3352 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe PID 3352 wrote to memory of 2004 3352 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe PID 3352 wrote to memory of 2004 3352 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe PID 3352 wrote to memory of 2004 3352 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe PID 2004 wrote to memory of 1144 2004 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe eaxi.exe PID 2004 wrote to memory of 1144 2004 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe eaxi.exe PID 2004 wrote to memory of 1144 2004 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe eaxi.exe PID 1144 wrote to memory of 4636 1144 eaxi.exe eaxi.exe PID 1144 wrote to memory of 4636 1144 eaxi.exe eaxi.exe PID 1144 wrote to memory of 4636 1144 eaxi.exe eaxi.exe PID 1144 wrote to memory of 4636 1144 eaxi.exe eaxi.exe PID 1144 wrote to memory of 4636 1144 eaxi.exe eaxi.exe PID 1144 wrote to memory of 4636 1144 eaxi.exe eaxi.exe PID 1144 wrote to memory of 4636 1144 eaxi.exe eaxi.exe PID 1144 wrote to memory of 4636 1144 eaxi.exe eaxi.exe PID 4636 wrote to memory of 3732 4636 eaxi.exe svchost.exe PID 4636 wrote to memory of 3732 4636 eaxi.exe svchost.exe PID 4636 wrote to memory of 3732 4636 eaxi.exe svchost.exe PID 4636 wrote to memory of 3732 4636 eaxi.exe svchost.exe PID 4636 wrote to memory of 3732 4636 eaxi.exe svchost.exe PID 2004 wrote to memory of 2076 2004 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe cmd.exe PID 2004 wrote to memory of 2076 2004 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe cmd.exe PID 2004 wrote to memory of 2076 2004 56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\56213a6487ab2bccbc59e7e87aabff95_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\eaxi.exe"C:\Users\Admin\eaxi.exe" /r3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\eaxi.exe"C:\Users\Admin\eaxi.exe" /r4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:3732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 3206⤵
- Program crash
PID:3964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5504.bat" "3⤵PID:2076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3732 -ip 37321⤵PID:1164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5504.batFilesize
117B
MD5c7280fb5ee50157f35084abc765a4e74
SHA14c1c7a57bf19232cb38dca15a298f561554cd2d3
SHA256255e474dc0d30684a6c067374b95b0082e9aa282affe220737f39cb90d9113a4
SHA512bc58a5d324c791d3ccbfc80458f582c7deb8e48140c3796f0730e9c1816ecac96a578726dd8db54f1dc4271815f7d2eaba36ed4d14565138b6e9ef96837c2c9f
-
C:\Users\Admin\eaxi.exeFilesize
133KB
MD556213a6487ab2bccbc59e7e87aabff95
SHA140748ef8241587c207311160e9d1115e0bb4c374
SHA2564270d9f809d18daa8f77b828246d5d2130dcd899e20656cfe0bff05332db991e
SHA512c8c60671d23ad59dc7dd7dd7f02ee6988904bc9d72a162ac68b2e9e43da8f7ca13ddc9d49e81686840ae2776ba1b8f37fddc3705c6d9f7a1acba9da871d5cc3d
-
memory/2004-0-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2004-2-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2004-7-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3732-13-0x0000000000BA0000-0x0000000000BB0000-memory.dmpFilesize
64KB
-
memory/3732-20-0x0000000000BA0000-0x0000000000BB0000-memory.dmpFilesize
64KB
-
memory/3732-27-0x0000000000BA0000-0x0000000000BB0000-memory.dmpFilesize
64KB
-
memory/3732-28-0x0000000002BE0000-0x0000000002BE1000-memory.dmpFilesize
4KB
-
memory/3732-29-0x0000000000BA0000-0x0000000000BB0000-memory.dmpFilesize
64KB
-
memory/3732-30-0x0000000000BA0000-0x0000000000BB0000-memory.dmpFilesize
64KB