Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 02:12
Static task
static1
Behavioral task
behavioral1
Sample
a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe
-
Size
3.0MB
-
MD5
a92d36a3089f706e9c466515084fe90e
-
SHA1
b5c00d2e955a312bdc833f318b9ecee9cf870c94
-
SHA256
14ae12f77fb541c97c88669bce1480933b4b0dec5527f5b5a89ddcae9dafa4dd
-
SHA512
06ff7da6b333845a90db5a8941b67f94d3b3ad52c058c0964954ff2f804dfd4bf79d1a3af61b6e1ad7864a0aae9c1a2882c87369e8b70cc964793e06375e0ce2
-
SSDEEP
49152:LN3V9aXvNPd5AGvWpUh1kDYUJzdbWUOMPrJJ3ACY+XODEDd2LzSx+iW0GkAtaPPq:LN3uXvNPoGvW2mLlhPDQpD+WBiHbtna
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4388 irsetup.exe 812 hexdump.exe -
resource yara_rule behavioral2/files/0x00090000000234b1-4.dat upx behavioral2/memory/4388-10-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/4388-77-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/4388-85-0x0000000000400000-0x000000000057F000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Instaler Setup Log.txt irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hexdump.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4388 irsetup.exe 4388 irsetup.exe 4388 irsetup.exe 812 hexdump.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4752 wrote to memory of 4388 4752 a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe 85 PID 4752 wrote to memory of 4388 4752 a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe 85 PID 4752 wrote to memory of 4388 4752 a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe 85 PID 4388 wrote to memory of 556 4388 irsetup.exe 89 PID 4388 wrote to memory of 556 4388 irsetup.exe 89 PID 4388 wrote to memory of 556 4388 irsetup.exe 89 PID 556 wrote to memory of 812 556 cmd.exe 91 PID 556 wrote to memory of 812 556 cmd.exe 91 PID 556 wrote to memory of 812 556 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:658978 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-355097885-2402257403-2971294179-1000"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\hexdump.bat" "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0" "C:\Users\Admin\AppData\Local\Temp\a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\hexdump.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0"\hexdump.exe "C:\Users\Admin\AppData\Local\Temp\a92d36a3089f706e9c466515084fe90e_JaffaCakes118.exe" /skip:$000000050 /keep:50 /bare4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:812
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5b45bc7f3deae68927f3034ec9fd38144
SHA1ddbc918b49c70066724f1a7a7f7b891f72a630f9
SHA25659101e77efff53b706a95d150dae0088ac0a8775a65aa7fd22b4d64f680fc872
SHA51224239c9676c25a179e0c7fae70a6771401ef2a8259128ac87f26941fe192f7be1fe315abe3b484da0bd8885317636531eb3178d0d6911bebabb2e08d3022abc5
-
Filesize
1KB
MD50b43abca28b1f104245ac4497ffebe5f
SHA1bf81a1e57ca6e864dc954a095dadf2cfd5a4b4bf
SHA2562ccbb0ce8c2d0dfc2d4b593e5c6d27fd622403f4312fde10d28c4f0ca54228bb
SHA512656b22d33dde7b8cf0f7129a9b097ac8d6705177d0cdd0e74ce094043e0664bf450ca01d39d6ab7c8feeae4d7f12d1b9fb026260d4407301cec8e7db8d0ea947
-
Filesize
290B
MD52f38cde71387c08ca700297623dfa577
SHA19bbdcb8e4dc95a61d08e88cc5037967d11e0afc5
SHA25687dd3c5b4c2f2fc74f6bb8ec1c86e3fb4b10bb0c114fa2b066c6c906e7d84d3d
SHA512c07a83a186043179c3ed2a7af3696726ca5f809143f7e1ab32c745a8237e594539a5f13748e5f04acb31e12edea3dcc68901940d9246753a09329ce37b24955f
-
Filesize
61B
MD5d56597794e2c7690ed7bbc69218a435d
SHA18248c1e2631ab4e7ca27ef74fe68f122d757347c
SHA256f616bcf0ec69272620f36e6a452f532137ea6f6df739ac8257a8d17b1953daca
SHA512ebffd59d9bc53f6712e369fe18d19c0c1559fe00520c6a39a8ceffb4fa65f5d551b01a62441678e98c2420101f80a83964ed108a8759b330c4d4134ab05ad364
-
Filesize
69KB
MD5cb6542d26e1c9c8e19db12a7872fb0ea
SHA1f21855bc5b07f9e810a8a20ebe04acea53876a7e
SHA256ebe674c69bafc75f1de1d35913f22a275a4b411aa7c661be44fabd8042e3fbb4
SHA512fa5af0772b4632a1418b6bde2df6a88a12cd7886b89f8ac94a88700ea4d08c8109bd3144923c7e94a69b934dcaa63f4ffd0416d3905402ed0c8ace542aab862e
-
Filesize
563KB
MD576da2c7c124183acf74251db2a336a79
SHA1e3af0b141c37fe8db95397970aac0f9545e8b45a
SHA25677a0ee56b68c5524c79201bc045aed9c212a90f4f28d5f08a8c15507df94aad0
SHA512b160aa92810da8dc71cfffcc5ee0eeaf3058dcd39a0b1c0f02fd03436d011d9f50b46c0bea984cf3ee732162601e3a140b408655c647ff00654fa59d8fb2a8e4