Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe
-
Size
225KB
-
MD5
843af912fff6ee44d7aaf4e9f625f509
-
SHA1
7721563ba449f133f2592927d16c5a65da27ed19
-
SHA256
c22c15b1fa25f120fe98f22241b86daf93addea99e92bdbb2945744b1f584d81
-
SHA512
e1e4061e5ca54e60c9a4360f3c26aede755c0ed67e6bda998949b4eda894d14411cf65b5a2a08a0a607ce07f3df48639145ad37e3ad2c34de4636aa8efed3c65
-
SSDEEP
6144:yNxJdew0qZfYp+cWZaKJ9VaJtPjtixbwSpMel:wJww0UfYpvi/TAPJixUSpM
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\qandr.sys frame2_276.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3140 frame2_276.exe 4448 liar3.exe -
resource yara_rule behavioral2/files/0x00080000000234c6-13.dat upx behavioral2/memory/4448-17-0x0000000000400000-0x000000000044A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3832 2380 WerFault.exe 83 2820 3140 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frame2_276.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language liar3.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2380 wrote to memory of 3508 2380 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe 85 PID 2380 wrote to memory of 3508 2380 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe 85 PID 2380 wrote to memory of 3508 2380 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe 85 PID 3508 wrote to memory of 2316 3508 net.exe 88 PID 3508 wrote to memory of 2316 3508 net.exe 88 PID 3508 wrote to memory of 2316 3508 net.exe 88 PID 2380 wrote to memory of 3140 2380 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe 93 PID 2380 wrote to memory of 3140 2380 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe 93 PID 2380 wrote to memory of 3140 2380 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe 93 PID 2380 wrote to memory of 4448 2380 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe 94 PID 2380 wrote to memory of 4448 2380 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe 94 PID 2380 wrote to memory of 4448 2380 843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\843af912fff6ee44d7aaf4e9f625f509_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\windows\SysWOW64\net.exe"C:\windows\system32\net.exe" stop wscsvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc3⤵
- System Location Discovery: System Language Discovery
PID:2316
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 11042⤵
- Program crash
PID:3832
-
-
C:\Users\Admin\AppData\Local\Temp\frame2_276.exe"C:\Users\Admin\AppData\Local\Temp\frame2_276.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 3123⤵
- Program crash
PID:2820
-
-
-
C:\Users\Admin\AppData\Local\Temp\liar3.exe"C:\Users\Admin\AppData\Local\Temp\liar3.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2380 -ip 23801⤵PID:1512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3140 -ip 31401⤵PID:3232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
MD552d914c8fa26ae793b012c68291719f9
SHA171974b58f8de726790b3eadea931a73bf7bad1cd
SHA256b77333164092b48615c8826ac7694f47819f070f6cc793d62363844a8c49c20f
SHA5129ac6801fce8f8b49e15302932dd0198c8c0bf0e5ce7f48899081420ad774781d66d10d341e1c845252179b0caad0568a16f7b83fe109a5165976a2e95d70342e
-
Filesize
57KB
MD5c75a9e75f5dc84b3d4769a29759dabee
SHA1a792aab93744e9ba579564955bac31a6cbfb6d2e
SHA25607f1f51821713642e753d3477f30b15c09a43fde4846a7d79dca16afe9e06c99
SHA51236ffa7d59e18d8655dd187488654a77dfbbbb3cbc32328711167afb3d871f319ce5b95cdcdb01a9aaecdf88001ff427a0a2e9f41481bb07070d2dde30614147c