Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13-08-2024 21:09
General
-
Target
94bec218a195458cdda123860f623557_JaffaCakes118.exe
-
Size
185KB
-
MD5
94bec218a195458cdda123860f623557
-
SHA1
a81497dedcbd8e50d3fa2464eb9d406fff5b4d53
-
SHA256
c535cd3d3513af88830ba7c1733e59f48731a0aeb66e9affa425594698649a5c
-
SHA512
b54905cb63c0c385fbd6e879ef6c2d85a40fefc4d6a978d93937f3f7ea4c3bdc9a88a8aab57c466740dba6441fe92fe033920e34e69c2f7db5f4fbd31ac034f2
-
SSDEEP
3072:kcPczY9zvkUD2piBhNZAxdJIeQ7hqrw1o98PsMBv3MCmJpwkIIUGzq+:ksc89zrRfKx/8GcsMBvMCmJprUgq
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\94bec218a195458cdda123860f623557_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\94bec218a195458cdda123860f623557_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD594bec218a195458cdda123860f623557
SHA1a81497dedcbd8e50d3fa2464eb9d406fff5b4d53
SHA256c535cd3d3513af88830ba7c1733e59f48731a0aeb66e9affa425594698649a5c
SHA512b54905cb63c0c385fbd6e879ef6c2d85a40fefc4d6a978d93937f3f7ea4c3bdc9a88a8aab57c466740dba6441fe92fe033920e34e69c2f7db5f4fbd31ac034f2
-
Filesize
264KB
-
Filesize
228KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
264KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
264KB
-
Filesize
228KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
228KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
264KB