Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 15:11
Behavioral task
behavioral1
Sample
80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe
-
Size
348KB
-
MD5
80f81d74d457c942e265a5853eac035e
-
SHA1
bac98bdefce7d0ea78847708c118725efd00bd52
-
SHA256
ef61c13c329ad94a3c49ff59a9e16a83fdb7f5b5de7a87731af72ff99d1cb3ae
-
SHA512
25c0271362a96a080104cbfcc415298dff435dba5a985ec355c4d202c8069cf7ddcccc16e883e860339c353592d62f0670548c56959295a9223d34bcfbe813eb
-
SSDEEP
6144:c/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZ1:A0G5obGGraOpUWlpa
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fujeke.exe80f81d74d457c942e265a5853eac035e_JaffaCakes118.exesuozz.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation fujeke.exe Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation suozz.exe -
Executes dropped EXE 3 IoCs
Processes:
suozz.exefujeke.exetetou.exepid process 4176 suozz.exe 3056 fujeke.exe 1088 tetou.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
80f81d74d457c942e265a5853eac035e_JaffaCakes118.exesuozz.execmd.exefujeke.exetetou.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language suozz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fujeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tetou.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tetou.exepid process 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe 1088 tetou.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
80f81d74d457c942e265a5853eac035e_JaffaCakes118.exesuozz.exefujeke.exedescription pid process target process PID 468 wrote to memory of 4176 468 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe suozz.exe PID 468 wrote to memory of 4176 468 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe suozz.exe PID 468 wrote to memory of 4176 468 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe suozz.exe PID 468 wrote to memory of 3744 468 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe cmd.exe PID 468 wrote to memory of 3744 468 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe cmd.exe PID 468 wrote to memory of 3744 468 80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe cmd.exe PID 4176 wrote to memory of 3056 4176 suozz.exe fujeke.exe PID 4176 wrote to memory of 3056 4176 suozz.exe fujeke.exe PID 4176 wrote to memory of 3056 4176 suozz.exe fujeke.exe PID 3056 wrote to memory of 1088 3056 fujeke.exe tetou.exe PID 3056 wrote to memory of 1088 3056 fujeke.exe tetou.exe PID 3056 wrote to memory of 1088 3056 fujeke.exe tetou.exe PID 3056 wrote to memory of 880 3056 fujeke.exe cmd.exe PID 3056 wrote to memory of 880 3056 fujeke.exe cmd.exe PID 3056 wrote to memory of 880 3056 fujeke.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80f81d74d457c942e265a5853eac035e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\AppData\Local\Temp\suozz.exe"C:\Users\Admin\AppData\Local\Temp\suozz.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\fujeke.exe"C:\Users\Admin\AppData\Local\Temp\fujeke.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\tetou.exe"C:\Users\Admin\AppData\Local\Temp\tetou.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD547f5f200f3e78591ff0c50a873215f2d
SHA169d23d45e950ffe81c5d2b44fd34cdcbb6dd5e3f
SHA2566645fb979ad2e03f843c3531cb5462bd44860ff6240bff6f61803ed95f002115
SHA512aa810d18fa0dc3fbce38cdbf32ed15a7a0e7c8f00592f45d5fc88e88ad2aff1debeceb537e44380d67882d822dc1cb5b4c3bfd132c71680c323a187582dcb8d0
-
Filesize
224B
MD5fb1479d45af82b4b3cb8c7fbbd6015b5
SHA13ba21a80b9593989e3f5d3b3f9af8110044c0a54
SHA256b725abe4ba9d633c3cec480899008d1f5ccbf560889362b1fb10b581d38c3466
SHA512be40da777ddd4e40a4b2eed3d8d7cd83ce602d4187c95ff2ea862d8b5179fc9a4ba382dbf015a37f9e098d7a90aa298c617b5a017d43137c549a52b9f8a65a78
-
Filesize
512B
MD50cd8757c09c8ae8f930f4f1f5d2e84cf
SHA1f212bfc825adc73a3232f32b19e8186739909c41
SHA2564a69f28cb7f4e5248c9c0b9102c8c3272d78ff48aa115351e4d02a18f3360982
SHA512304f76edebe057104b31980c0d3d53d645ef49875203af1ba3649fc31018a34c99c2f1b1729f9e9fe3db9548933271d8336a9d13f9142563bb4e6001c2962c32
-
Filesize
348KB
MD5a8df3c4e074fa1fcac87b4e90cadbb56
SHA1b017501aa0e59ff5e9da837c9e75db44b69c13ca
SHA256c466c40d1ff9443d4015c36cf795655671d80406ef6b57a662dab42b86926e67
SHA512b3f489873b5f7d9e07517ceab21581d80a850ebd5b97c75322811c3114b84e6656378c312f656fc407ca279a0f1eb3d3123e6cef5083fe55ddf125e1a311084f
-
Filesize
115KB
MD5c239db2506b3714d6f626743037f6132
SHA155eb0781bf0bb466bc32de4b657893a0c56e7d72
SHA25628c4bd50cd665c473baa845e3c62bb8fa751c72cf27f66ba91a051b5d801a89e
SHA512b0b4c8d389816eeb2887cf94da28134b70887c6546a16ee2d48f2afc862faa45aa320c5eb41664d00201ba64a7673808f6a0ae0ec419d2a68ff7281a58207d3b