Analysis
-
max time kernel
137s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 09:53
Static task
static1
Behavioral task
behavioral1
Sample
a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe
-
Size
996KB
-
MD5
a6514cdf14bfe0a45c5348e5f605af9f
-
SHA1
f62fde5330edf97c245f9075cb144cedbf0950ba
-
SHA256
8c6865afb5235d0d3b3decff70216a06e9d3b1028fcf38e5984cb76c1b0caa7e
-
SHA512
703d2e122990ec1b533c51db4f20f6547d980b980c486d9adf6ab8765a8b6c6f3d96524e082c2a42a94c070d5d597339622d25baa27420f335e9549c33e23043
-
SSDEEP
24576:bAhu8R3PZxx7DUFdqgpuPSO/ymEDPqzofxwG+b:8huWR7EdpuHydZpwZ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 123.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 123.exe -
Executes dropped EXE 4 IoCs
pid Process 3692 123.exe 2648 1Pack.exe 3152 123.exe 3664 1Pack.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3496 2648 WerFault.exe 85 1960 3664 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1Pack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1Pack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3828 wrote to memory of 3692 3828 a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe 84 PID 3828 wrote to memory of 3692 3828 a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe 84 PID 3828 wrote to memory of 3692 3828 a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe 84 PID 3692 wrote to memory of 2648 3692 123.exe 85 PID 3692 wrote to memory of 2648 3692 123.exe 85 PID 3692 wrote to memory of 2648 3692 123.exe 85 PID 3828 wrote to memory of 3152 3828 a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe 86 PID 3828 wrote to memory of 3152 3828 a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe 86 PID 3828 wrote to memory of 3152 3828 a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe 86 PID 3152 wrote to memory of 3664 3152 123.exe 91 PID 3152 wrote to memory of 3664 3152 123.exe 91 PID 3152 wrote to memory of 3664 3152 123.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a6514cdf14bfe0a45c5348e5f605af9f_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\1Pack.exe"C:\Users\Admin\AppData\Local\Temp\1Pack.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 6244⤵
- Program crash
PID:3496
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\1Pack.exe"C:\Users\Admin\AppData\Local\Temp\1Pack.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 6204⤵
- Program crash
PID:1960
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2648 -ip 26481⤵PID:1364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3664 -ip 36641⤵PID:224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
612KB
MD5e19cfdf3e47185947bd9a9fa76c33329
SHA1301ce139bb65d63446f607767b7316244f6a1acd
SHA25680296ad5b365a89dd522f43ba3bf868e05eee266860789d373e21a9dab07cddd
SHA512d454fea68d13d3e51cef740c4186f591a02673fb0b730ff96c0d7ca428e8ddce3b9cf8fae8f9cc6f36c909723e2f9ab008bb3c2264f962d5a9fd05b4e88ed545
-
Filesize
1.1MB
MD5a140868b8ecaba317b635e3a6e055928
SHA119f1a71dc2322c51823571512b039924658b6bd7
SHA2565810472eeb63780520f4ac6ec7b497f9f1bd1025f3e7dc7d21f5494d6ab2bb3e
SHA51234314623f3e45bbe7bd3c61f72fa2f45e8c4e41520e62bfbcb5a9872af75db941d2fb42aa7ef112f2fbc533de7c637d1f232151199d7e8e3232ee345d541b9bc