Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
7682cc2ceb95e1bcb49afa3bbc3ed95f
-
SHA1
2da54e2cb09d13c2a3d4c240d3d0efad48690083
-
SHA256
01f9c2319d337672dc52edce7c8a1da2c5058e9bd338681a4a58bcbae6b9a0c5
-
SHA512
28ff749faa38c389e22f17cef1e5861873d3b805406bf847d543cd1bac53f089f94943d2e6b1bdfcdcd16c33736051e91adbf869c13d96aca6102475ee743cb9
-
SSDEEP
24576:ttTG2juRDu2KFpKi+1Qn4jPzQgq5O3CROcoXtbuuJh/H4+dWBGqw0I7AESrFhRQ6:DTGaUD2Fgi+5PzQE+ORT94fg0SURQ6
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\lzg1.tmp acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation 7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
DN¿ËÁÖ¶Ù.exe222.exepid process 1916 DN¿ËÁÖ¶Ù.exe 3052 222.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
DN¿ËÁÖ¶Ù.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Wine DN¿ËÁÖ¶Ù.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1516 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Temp\DN¿ËÁÖ¶Ù.exe themida behavioral2/memory/1916-13-0x0000000000400000-0x0000000000711000-memory.dmp themida behavioral2/memory/1916-29-0x0000000000400000-0x0000000000711000-memory.dmp themida -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\lzg1.tmp upx behavioral2/memory/1516-25-0x0000000010000000-0x000000001000B000-memory.dmp upx behavioral2/memory/1516-28-0x0000000010000000-0x000000001000B000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
Processes:
222.exerundll32.exedescription ioc process File created C:\Windows\SysWOW64\dxe.dat 222.exe File created C:\Windows\SysWOW64\dinput8.dll rundll32.exe File created C:\Windows\SysWOW64\dllcache\dinput8.dll rundll32.exe File created C:\Windows\SysWOW64\dinput8_.dll rundll32.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\dinput8.dll rundll32.exe File opened for modification C:\Windows\dinput8.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1464 1516 WerFault.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exeDN¿ËÁÖ¶Ù.exe222.execmd.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DN¿ËÁÖ¶Ù.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exerundll32.exepid process 528 7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe 528 7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe 1516 rundll32.exe 1516 rundll32.exe 1516 rundll32.exe 1516 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe222.execmd.exedescription pid process target process PID 528 wrote to memory of 1916 528 7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe DN¿ËÁÖ¶Ù.exe PID 528 wrote to memory of 1916 528 7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe DN¿ËÁÖ¶Ù.exe PID 528 wrote to memory of 1916 528 7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe DN¿ËÁÖ¶Ù.exe PID 528 wrote to memory of 3052 528 7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe 222.exe PID 528 wrote to memory of 3052 528 7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe 222.exe PID 528 wrote to memory of 3052 528 7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe 222.exe PID 3052 wrote to memory of 2760 3052 222.exe cmd.exe PID 3052 wrote to memory of 2760 3052 222.exe cmd.exe PID 3052 wrote to memory of 2760 3052 222.exe cmd.exe PID 2760 wrote to memory of 1516 2760 cmd.exe rundll32.exe PID 2760 wrote to memory of 1516 2760 cmd.exe rundll32.exe PID 2760 wrote to memory of 1516 2760 cmd.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7682cc2ceb95e1bcb49afa3bbc3ed95f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Local\Temp\Temp\DN¿ËÁÖ¶Ù.exe"C:\Users\Admin\AppData\Local\Temp\Temp\DN¿ËÁÖ¶Ù.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\Temp\222.exe"C:\Users\Admin\AppData\Local\Temp\Temp\222.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sdfd3.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\lzg1.tmp Run4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 7165⤵
- Program crash
PID:1464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1516 -ip 15161⤵PID:1252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5bc3176933a6f74064e836d62c2485ff8
SHA12bfb2b82a277c222b5757ea21eb915d171207861
SHA25655785c5e81a4d8713d51025bd825997183da9584069c69b50e03e9986a4aa068
SHA51283357dd0631a6f66e1a0bcb110a934c47cee9f1da33d29e607f699b8566c0cfe37af0169a143ac9aae17059bede72adb6271b81eae0ce0d91531a2fd4f3f1d6a
-
Filesize
1.3MB
MD54d9fbebe1164ffa79d0ebe30c0daa01e
SHA1e54beb67ef129078ec80b19005b7ed55179bb18b
SHA25635a5d18cc1856371e03684c66c9776b6dbb7f750790b4f3b5ebf490d2eaddcb7
SHA51279c2ea736000f3f968ef3f1ad6180eab99a17b93063677eafb19bbd751e85b4e66b1080e4b7bed7db6ba33c0988b71c532b2f668629edd8af62a5cd441bda372
-
Filesize
11KB
MD520ec4f2b2180ca67d0f8d5bde03cb61a
SHA19be40abddd2eb0b182be4e748cfb3bd17f4d8a57
SHA2565b034c98e7336a7e17637182e09eddfbdd5f5d3e30ea69f00f8e3ad7da950d32
SHA512758ec8b517257c768f8daf32527d6beb98466867d1e9b51b7289981b35e7d559f0680e41bcea89797228ae25b6057f7524d6ad0d97447aecfee113075047df38
-
Filesize
113B
MD558ac5b8b4fd347676442eebe426ca466
SHA184602b226bfcd63f83eec5af68130596c2ed7ad0
SHA256740a88fa95e628578d339df95d57421486f0aaead09e5b6b55e906bc9db63e5f
SHA512e3fb48f878842bdbc3bd13c5bd22840ea40067dd2b8aae2bf1bd6612ecdbeb5f00b09392c0a9ae2e977beb8e59c8ee331c2e04f0d29be3a38ec24d3ce56253b9