Analysis
-
max time kernel
134s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 20:02
Static task
static1
Behavioral task
behavioral1
Sample
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe
-
Size
108KB
-
MD5
9fbdc223fd2933fac5a9bb801f59c6b1
-
SHA1
fca37e0fa1a54f97d6c02609a49acc291b454cc6
-
SHA256
28bc76580c4dccb7ec8fbfe82e6a0f094627556217650dcfcf80a7291a0fceaa
-
SHA512
dd356c7047fdc1862c8cdae109c4ea234021f9be2520c41075571400e74e38a3775a4afbda7b14f08e608129ecca77325e6ee59b20e67271ed04c9441ca10013
-
SSDEEP
3072:pUX+caOwfR3qvW3ouQ/JLfIrjpvQ7qSMf8MfZG:pUX+cy3qvJuoLgKiEM
Malware Config
Extracted
latentbot
insomniaftw.zapto.org
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exeNUKrmnlqb.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation NUKrmnlqb.exe -
Executes dropped EXE 2 IoCs
Processes:
NUKrmnlqb.exeqwrtaw5.exepid Process 3668 NUKrmnlqb.exe 552 qwrtaw5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
qwrtaw5.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\ProgramData\\qwrtaw5.exe" qwrtaw5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exeNUKrmnlqb.exeqwrtaw5.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NUKrmnlqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qwrtaw5.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
qwrtaw5.exeNUKrmnlqb.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier qwrtaw5.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 NUKrmnlqb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier NUKrmnlqb.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 qwrtaw5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
NUKrmnlqb.exeqwrtaw5.exedescription pid Process Token: SeDebugPrivilege 3668 NUKrmnlqb.exe Token: SeDebugPrivilege 552 qwrtaw5.exe Token: SeDebugPrivilege 552 qwrtaw5.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exeNUKrmnlqb.exedescription pid Process procid_target PID 3296 wrote to memory of 3668 3296 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe 86 PID 3296 wrote to memory of 3668 3296 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe 86 PID 3296 wrote to memory of 3668 3296 9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe 86 PID 3668 wrote to memory of 552 3668 NUKrmnlqb.exe 90 PID 3668 wrote to memory of 552 3668 NUKrmnlqb.exe 90 PID 3668 wrote to memory of 552 3668 NUKrmnlqb.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fbdc223fd2933fac5a9bb801f59c6b1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\NUKrmnlqb.exe"C:\Users\Admin\AppData\Local\Temp\NUKrmnlqb.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\ProgramData\qwrtaw5.exe"C:\ProgramData\qwrtaw5.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD560c9bb7c8e43d4c826aa2966929c011e
SHA199c2727b79626e03b477c4170fb754dcfe3570ee
SHA2565874407a974b12892e668665f0f9c2ceb6fd8ddcf64df6b0649ccde59207c48d
SHA512eafa7b6a837b54d04cc6f0ecf2326be17dd2a464c3832f1fd0f891178c1f67d1fa36bacf496cee60e64308108420c8c358d01f32b7474b6381122bdbf484366f
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0