Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 10:52
Static task
static1
Behavioral task
behavioral1
Sample
5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe
-
Size
140KB
-
MD5
5ba0845ff3f7f12479a59e063d201db3
-
SHA1
bb9e1b5656e76f43cb55da49981b6b66c3f59ec5
-
SHA256
c63956f492ac0e6d79a7751945c573fa475f502ff8482461a52bdc2376c1f771
-
SHA512
11a19687c3afd02ed2904dacbbbbb6d9d4336435aed049eb6bef0b1827e719c508d70a4926f5aff233b9e802edfcc66790808c8f045ea1e04c599f7f66a3ef1c
-
SSDEEP
1536:vjjjPWXk20UMf9sliQ6HgEGHuLjzUgvKGlDbALtTaOE/iwXdBLpVQ5mZWTSf9ef:vXS8f9sEQfETLjJKGlQdnE/iETLamnq
Malware Config
Extracted
tofsee
94.75.255.140
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
uvj.exeuvj.exepid process 3948 uvj.exe 3548 uvj.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\uvj.exe\" /r" 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exeuvj.exeuvj.exedescription pid process target process PID 908 set thread context of 2332 908 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe PID 3948 set thread context of 3548 3948 uvj.exe uvj.exe PID 3548 set thread context of 4256 3548 uvj.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1496 4256 WerFault.exe svchost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exeuvj.exeuvj.exedescription pid process target process PID 908 wrote to memory of 2332 908 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe PID 908 wrote to memory of 2332 908 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe PID 908 wrote to memory of 2332 908 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe PID 908 wrote to memory of 2332 908 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe PID 908 wrote to memory of 2332 908 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe PID 908 wrote to memory of 2332 908 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe PID 908 wrote to memory of 2332 908 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe PID 908 wrote to memory of 2332 908 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe PID 2332 wrote to memory of 3948 2332 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe uvj.exe PID 2332 wrote to memory of 3948 2332 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe uvj.exe PID 2332 wrote to memory of 3948 2332 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe uvj.exe PID 3948 wrote to memory of 3548 3948 uvj.exe uvj.exe PID 3948 wrote to memory of 3548 3948 uvj.exe uvj.exe PID 3948 wrote to memory of 3548 3948 uvj.exe uvj.exe PID 3948 wrote to memory of 3548 3948 uvj.exe uvj.exe PID 3948 wrote to memory of 3548 3948 uvj.exe uvj.exe PID 3948 wrote to memory of 3548 3948 uvj.exe uvj.exe PID 3948 wrote to memory of 3548 3948 uvj.exe uvj.exe PID 3948 wrote to memory of 3548 3948 uvj.exe uvj.exe PID 3548 wrote to memory of 4256 3548 uvj.exe svchost.exe PID 3548 wrote to memory of 4256 3548 uvj.exe svchost.exe PID 3548 wrote to memory of 4256 3548 uvj.exe svchost.exe PID 3548 wrote to memory of 4256 3548 uvj.exe svchost.exe PID 3548 wrote to memory of 4256 3548 uvj.exe svchost.exe PID 2332 wrote to memory of 1376 2332 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe cmd.exe PID 2332 wrote to memory of 1376 2332 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe cmd.exe PID 2332 wrote to memory of 1376 2332 5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ba0845ff3f7f12479a59e063d201db3_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\uvj.exe"C:\Users\Admin\uvj.exe" /r3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\uvj.exe"C:\Users\Admin\uvj.exe" /r4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:4256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 3206⤵
- Program crash
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8367.bat" "3⤵PID:1376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4256 -ip 42561⤵PID:972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8367.batFilesize
117B
MD5dd1272afbec3d38bfa7f9cb03eb760bf
SHA126ed50b0bc97e96c8bd76450b4ecdf57b2db90c0
SHA25652f28894dbff59d03392152dde6e63ebc15f87f421189175ab95aa3167eb316d
SHA5120076cdaf830d102a0129cac4e4fff563ed0d29f73ea9ce65f4545bc615ea546263ea9342058344520596356485a59d4993b37127b4208863222130d5d714b139
-
C:\Users\Admin\uvj.exeFilesize
140KB
MD55ba0845ff3f7f12479a59e063d201db3
SHA1bb9e1b5656e76f43cb55da49981b6b66c3f59ec5
SHA256c63956f492ac0e6d79a7751945c573fa475f502ff8482461a52bdc2376c1f771
SHA51211a19687c3afd02ed2904dacbbbbb6d9d4336435aed049eb6bef0b1827e719c508d70a4926f5aff233b9e802edfcc66790808c8f045ea1e04c599f7f66a3ef1c
-
memory/2332-0-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2332-2-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2332-4-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3548-13-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4256-14-0x00000000003D0000-0x00000000003E0000-memory.dmpFilesize
64KB
-
memory/4256-19-0x00000000003D0000-0x00000000003E0000-memory.dmpFilesize
64KB
-
memory/4256-28-0x00000000003D0000-0x00000000003E0000-memory.dmpFilesize
64KB
-
memory/4256-29-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/4256-30-0x00000000003D0000-0x00000000003E0000-memory.dmpFilesize
64KB
-
memory/4256-31-0x00000000003D0000-0x00000000003E0000-memory.dmpFilesize
64KB