Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 23:44
Static task
static1
Behavioral task
behavioral1
Sample
69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
69718d60c6bf522c2d797e91d3b7721d
-
SHA1
2b3f046ec4a10651203d27848a3447f6af9fab71
-
SHA256
d0bb8f6045c44faeca78a55906323209a492b3b16c78082a7c5d212df4252896
-
SHA512
f2b22a49cd4888788a3100c936caf5fb4257ba779424ad330a8bfb8a9b7c27c18cd43505dfee06f9bbc9b4b11c3bd674fba7ed7a7989a7034c98a84b062934de
-
SSDEEP
24576:rI1ybgiF2iTLHdxR1jR/mJEkEJcCgUFh91BLZ:k1ybgiF2mL9r1jAjOgI91tZ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation regsvcr.exe -
Executes dropped EXE 4 IoCs
pid Process 1500 Microsoft Office 2010 Keygen.exe 4908 regsvcr.exe 3928 Microsoft Office 2010 Keygen.exe 5112 regsvcr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet = "(values not set)" 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Firewall Helper = "C:\\Users\\Admin\\AppData\\Roaming\\regsvcr.exe" regsvcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet = "1" regsvcr.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: regsvcr.exe File opened (read-only) \??\E: regsvcr.exe File opened (read-only) \??\H: regsvcr.exe File opened (read-only) \??\J: regsvcr.exe File opened (read-only) \??\M: regsvcr.exe File opened (read-only) \??\P: regsvcr.exe File opened (read-only) \??\Q: regsvcr.exe File opened (read-only) \??\R: regsvcr.exe File opened (read-only) \??\T: regsvcr.exe File opened (read-only) \??\V: regsvcr.exe File opened (read-only) \??\Y: regsvcr.exe File opened (read-only) \??\G: regsvcr.exe File opened (read-only) \??\I: regsvcr.exe File opened (read-only) \??\K: regsvcr.exe File opened (read-only) \??\L: regsvcr.exe File opened (read-only) \??\O: regsvcr.exe File opened (read-only) \??\W: regsvcr.exe File opened (read-only) \??\X: regsvcr.exe File opened (read-only) \??\N: regsvcr.exe File opened (read-only) \??\U: regsvcr.exe File opened (read-only) \??\Z: regsvcr.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum regsvcr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 regsvcr.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 464 set thread context of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 4908 set thread context of 5112 4908 regsvcr.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Microsoft Office 2010 Keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvcr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Microsoft Office 2010 Keygen.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 regsvcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz regsvcr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString regsvcr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 4908 regsvcr.exe 4908 regsvcr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 1500 Microsoft Office 2010 Keygen.exe 4908 regsvcr.exe 3928 Microsoft Office 2010 Keygen.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 464 wrote to memory of 1500 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 87 PID 464 wrote to memory of 1500 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 87 PID 464 wrote to memory of 1500 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 87 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 464 wrote to memory of 1888 464 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 88 PID 1888 wrote to memory of 4908 1888 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 89 PID 1888 wrote to memory of 4908 1888 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 89 PID 1888 wrote to memory of 4908 1888 69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe 89 PID 4908 wrote to memory of 3928 4908 regsvcr.exe 92 PID 4908 wrote to memory of 3928 4908 regsvcr.exe 92 PID 4908 wrote to memory of 3928 4908 regsvcr.exe 92 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95 PID 4908 wrote to memory of 5112 4908 regsvcr.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\Microsoft Office 2010 Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Office 2010 Keygen.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\69718d60c6bf522c2d797e91d3b7721d_JaffaCakes118.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Roaming\regsvcr.exeC:\Users\Admin\AppData\Roaming\regsvcr.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\Microsoft Office 2010 Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Office 2010 Keygen.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3928
-
-
C:\Users\Admin\AppData\Roaming\regsvcr.exeC:\Users\Admin\AppData\Roaming\regsvcr.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
PID:5112
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940KB
MD56743235bfa17545a9619ed4b7ea51bf2
SHA1771de9887414b949a78da436caeb504c882cd691
SHA256d44327694c7b9190ba4ff8a4e41a622d2ad86948dc72119e6d280b68c2fecbbd
SHA51260e917abff0862fdcab28dcc4528d434b846408a1aff5503b28ab460e65ddf8f434ecaa4f215545092b3d43a585bb4f189c50fe96edd4b5ad9f78fa239ad1810
-
Filesize
1.5MB
MD569718d60c6bf522c2d797e91d3b7721d
SHA12b3f046ec4a10651203d27848a3447f6af9fab71
SHA256d0bb8f6045c44faeca78a55906323209a492b3b16c78082a7c5d212df4252896
SHA512f2b22a49cd4888788a3100c936caf5fb4257ba779424ad330a8bfb8a9b7c27c18cd43505dfee06f9bbc9b4b11c3bd674fba7ed7a7989a7034c98a84b062934de