Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 05:05
Behavioral task
behavioral1
Sample
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe
-
Size
497KB
-
MD5
77227411ed5a56e7f8caaaefb8551b11
-
SHA1
6da36bf8e984c65361f8c473a14c63d6532780ac
-
SHA256
3b776b91821efe686c53d5dff43dee312849131ecc6ac4ab92a3b6c4cc861071
-
SHA512
98e906cc55e8cdfb6832a76b5f315e49e6ef543d9896dbc5206990c6c43d11eb92e9d861212b1c06bcea1b6579c11b9210f0746e7cdc8b5ec2b21ee10abc1d6f
-
SSDEEP
12288:ReGtVfjTQSaoINAHT1ST82epyJ5JUkmoGNA:RLt4/NAwTWpA5aPK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exeeduju.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation eduju.exe -
Executes dropped EXE 2 IoCs
Processes:
eduju.exeezhoj.exepid process 2788 eduju.exe 3228 ezhoj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
eduju.execmd.exeezhoj.exe77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eduju.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ezhoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ezhoj.exepid process 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe 3228 ezhoj.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exeeduju.exedescription pid process target process PID 3100 wrote to memory of 2788 3100 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe eduju.exe PID 3100 wrote to memory of 2788 3100 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe eduju.exe PID 3100 wrote to memory of 2788 3100 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe eduju.exe PID 3100 wrote to memory of 2120 3100 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe cmd.exe PID 3100 wrote to memory of 2120 3100 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe cmd.exe PID 3100 wrote to memory of 2120 3100 77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe cmd.exe PID 2788 wrote to memory of 3228 2788 eduju.exe ezhoj.exe PID 2788 wrote to memory of 3228 2788 eduju.exe ezhoj.exe PID 2788 wrote to memory of 3228 2788 eduju.exe ezhoj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\77227411ed5a56e7f8caaaefb8551b11_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\eduju.exe"C:\Users\Admin\AppData\Local\Temp\eduju.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\ezhoj.exe"C:\Users\Admin\AppData\Local\Temp\ezhoj.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5680defa5b44421ef7593588d21774a3a
SHA12afe4fe922217bcff4d30da926ea316f1ef40a51
SHA256a43794c3a6e03c1513a14d5eb1a70229957907809f0cb12bc6ad71551fa84de6
SHA5126b0fa160767207351c7688db84e99e28f60936ca88295f33d3c7d3060c73368f76a5c12df3ed98e2bdcfa391b41303b25fc61f7f07e492f6073d2740c1f13f23
-
Filesize
497KB
MD594b9a30b577a3d010cf4f5db5394c6c4
SHA133cb46138e3988f61938ffe6fecd586136e6d39f
SHA256bf49215da39bf7bd51c02f5ee31bd04801aa96a89accef3a9129b35dac2ba452
SHA5122fac45e2af85346728f45d77183fea4b7f6e216e4267f9323e0ab69c7666a05d4279c51e40057de420981f16a2573ad484b0835045446270a754eacf19969877
-
Filesize
202KB
MD5d75b549f3f9726eea0dc31501f59bd37
SHA1612d585b7b6a302ba364bd42faa3724358d43388
SHA256b80a19f0b8204d7fbfb5b9f37cc15523e03890a1e7e2c0e1f019011655c50d1d
SHA51258f44bbfb9fa45ce91634b33c22bb9ff0d531f580f4c18af8c8efb7e835261ad7052325b81caec73ef12c7f1c2dc2eecc0e9a034264c05e09557b8f581072c68
-
Filesize
512B
MD5f379ac09b25ea98ac141ead87d859ad7
SHA11b0d8eec881cbc255072bd193c3ff7a8d03bd0a2
SHA2568d678e3c01f4940a4646087246b5a0137787956c8d98f65fdf32539074ed3ade
SHA5121fb2d3313ddeb7a478471f5a230a7959974f9b6aac2f4515f72eab8660b35cff578b5d1c1b77913dbd3d4d2f4648ee89eff34734fcd7b80c02edc21293ce32fd