Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 14:22
Behavioral task
behavioral1
Sample
7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe
-
Size
447KB
-
MD5
7cbfcfbea7895720df5904630f97a3ac
-
SHA1
0c83df8fa50c2591964603f0a02db8f9621ee30d
-
SHA256
ed5e31592f1ab4b99ec67646993946ecfb7226c1c3fc6aaf8188f9665047057e
-
SHA512
3a45796868070cf024cf0ecba8bf9fa81e7fecb32c21f836a2e3c6622691aa114317691c865074c4b17664acbaeb31b26054e1046efd2758b04860e09dfa338a
-
SSDEEP
6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpo+:PMpASIcWYx2U6hAJQni
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exefyvek.exeakpiir.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation 7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation fyvek.exe Key value queried \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation akpiir.exe -
Executes dropped EXE 3 IoCs
Processes:
fyvek.exeakpiir.execuitf.exepid process 3160 fyvek.exe 2668 akpiir.exe 4904 cuitf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exefyvek.execmd.exeakpiir.execuitf.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyvek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language akpiir.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuitf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cuitf.exepid process 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe 4904 cuitf.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exefyvek.exeakpiir.exedescription pid process target process PID 1580 wrote to memory of 3160 1580 7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe fyvek.exe PID 1580 wrote to memory of 3160 1580 7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe fyvek.exe PID 1580 wrote to memory of 3160 1580 7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe fyvek.exe PID 1580 wrote to memory of 2700 1580 7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe cmd.exe PID 1580 wrote to memory of 2700 1580 7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe cmd.exe PID 1580 wrote to memory of 2700 1580 7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe cmd.exe PID 3160 wrote to memory of 2668 3160 fyvek.exe akpiir.exe PID 3160 wrote to memory of 2668 3160 fyvek.exe akpiir.exe PID 3160 wrote to memory of 2668 3160 fyvek.exe akpiir.exe PID 2668 wrote to memory of 4904 2668 akpiir.exe cuitf.exe PID 2668 wrote to memory of 4904 2668 akpiir.exe cuitf.exe PID 2668 wrote to memory of 4904 2668 akpiir.exe cuitf.exe PID 2668 wrote to memory of 1224 2668 akpiir.exe cmd.exe PID 2668 wrote to memory of 1224 2668 akpiir.exe cmd.exe PID 2668 wrote to memory of 1224 2668 akpiir.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\fyvek.exe"C:\Users\Admin\AppData\Local\Temp\fyvek.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\akpiir.exe"C:\Users\Admin\AppData\Local\Temp\akpiir.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\cuitf.exe"C:\Users\Admin\AppData\Local\Temp\cuitf.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1224
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD53b8236068121233014439794aa9266b8
SHA19290db29c7002e622c18495ec00d5bbc7892bf4e
SHA256ff82515b2a1ec707d042c9a337fbc92c204edf989e27abdf3fc3a5ec70a7c6a3
SHA512f212c3c1e043ffd484030573237fc4f5d7d6bf9bd14ce61c4af5a926c2ffbf403a692413f28aece83009ccac37bab4ea68a74e552b9ed95643238ebe6f84e980
-
Filesize
224B
MD547e5baf5db785cf83e2ce6a615b213a6
SHA16388b6fad8273b5ef442393e39dd5c29dd087833
SHA25683fd0812072932e0f3ddb9a093d60de9e0e686e354ca174847caf6a963600b95
SHA512742711b423cd36042eb8b902db027dfdba5ce7d4c1faabff962a429b59dbad1aff56f825d27b6ba1f2de9f1148b56e6c8867589e3b4a5fa163ba631ec6173360
-
Filesize
447KB
MD50e9cc82a0925d85a2b3fa2a7186b01f4
SHA1cea10964c080fe84fbfcb5ea12cc163ec14e2073
SHA2564e1142c1e2e33646aa783e6c15ee5024a568851d12b9444735f93ecb75fe6bb8
SHA5124e7c3aaa2fab72b0feadff5103d4b953801f04d5d9cfa4e55f004f0f9dc8277a82f8e9e536fe7d8816f4a67fbde9d5a29cc858c011f53c06678ecd83db26d40b
-
Filesize
223KB
MD59b944dfa55de66826becb62a3fb0e513
SHA18e7fc2d29a0ca4c7e2ef4eb40aa2debab72c8f6f
SHA256d0072ec9ebd361eb2b83e40e9b51a836b54d5a7444518352f24b1f189e983b79
SHA5125bd5f4e90cc7481921c16023ca277831ab6df9bf93ec700539c0278624f54b9067eec5f33762289f8be4a75fd3944d3b2c8c4a74905369bc493238f5d22cb17d
-
Filesize
447KB
MD5565e31ac493717b1ff556fe19870d325
SHA1665f58ed63d2b02957133cf72cd2ba0bf0b67002
SHA25661eec3b2ab0a8e119705972ece979cca9578e3aff99d79b561cd68876da2fbfd
SHA5127598d854b1b011802f02b0c6953c1599f69646eaa75dcfd93fb093883acdf61d070cc739f450520a7c73666f0ee015f5cc000c9f4d1e53ff15937b1ebb1ddbf7
-
Filesize
512B
MD57b5d7c98ffd5b742459510575acd232f
SHA14015c1d168461bbce82f6936766ce22d7431dcfc
SHA25680287ccd965ed6f5f0b52647287dcec9dcd1d843f87d187a42fc48858ae2604b
SHA5121f38dd8793adc1f65aebe7160cbb8eed549399cffdabd696f90227aa5c9e4a3326cc7f267c7b841c0cd1dd32f3479ecc3b879a02383db0fd9dda3073b1057f6a