Analysis
-
max time kernel
144s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 06:08
Static task
static1
Behavioral task
behavioral1
Sample
baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe
-
Size
334KB
-
MD5
baa604dc86589ef7c5ce47722e4c1900
-
SHA1
2c341c7f92aae1e659eb407ceb629ea94d3573e5
-
SHA256
cfa38f8a3c4cea8f6a0004dfceeaae1fd3c8ad155724f5869f8b67f96796df60
-
SHA512
40ae631b8124a24f8004c93da09969c861e6a79f6fec345ab99556e9fd69977112236240b21e2ff4e6c3a88e5b0c80f031a9504ba3fde408fa9cb6fab2a7e924
-
SSDEEP
6144:KZuuObR8sVImcyYOY2Jy+bu8a5n5TQL5rqrOxxbxtK7SU1uGxHkcv8pcqBJ:ZV+mzxggVa5nUBqraFLGSwuqkcvIJ
Malware Config
Signatures
-
Detects Andromeda payload. 2 IoCs
resource yara_rule behavioral2/memory/4176-24-0x0000000000FD0000-0x0000000000FD5000-memory.dmp family_andromeda behavioral2/memory/4176-28-0x0000000000FD0000-0x0000000000FD5000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\23417 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mseqqui.com" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4656 tuk.exe 3536 bot_0.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum bot_0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 bot_0.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\mseqqui.com svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bot_0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2092 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2092 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3536 bot_0.exe 3536 bot_0.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3536 bot_0.exe 3536 bot_0.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 852 wrote to memory of 5104 852 baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe 85 PID 852 wrote to memory of 5104 852 baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe 85 PID 852 wrote to memory of 5104 852 baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe 85 PID 5104 wrote to memory of 4656 5104 cmd.exe 88 PID 5104 wrote to memory of 4656 5104 cmd.exe 88 PID 5104 wrote to memory of 4656 5104 cmd.exe 88 PID 5104 wrote to memory of 2092 5104 cmd.exe 89 PID 5104 wrote to memory of 2092 5104 cmd.exe 89 PID 5104 wrote to memory of 2092 5104 cmd.exe 89 PID 5104 wrote to memory of 3536 5104 cmd.exe 96 PID 5104 wrote to memory of 3536 5104 cmd.exe 96 PID 5104 wrote to memory of 3536 5104 cmd.exe 96 PID 3536 wrote to memory of 4176 3536 bot_0.exe 97 PID 3536 wrote to memory of 4176 3536 bot_0.exe 97 PID 3536 wrote to memory of 4176 3536 bot_0.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\baa604dc86589ef7c5ce47722e4c1900_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sar3.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\tuk.exetuk.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4656
-
-
C:\Windows\SysWOW64\PING.EXEping microsoft.com3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\bot_0.exebot_0.exe3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe4⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4176
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD58a7616551ce19dda50daca2479c2de76
SHA1a8abeaf5b460f77dee2005df3c2dc79428743d2c
SHA2567cd1560ea0d639d9d6d945646be21aba72590cd37f57fe313de93822f4ca839f
SHA51204a3a7fc095f6135e859718876da4b84ab3fe009f181e6ab356917208d5b17f31944fcb64b111ab0d8e8fe28e1722411520ea52221f3136fafc765116fe7e1b0
-
Filesize
50B
MD5f358b9d1143fa9d78422b30a9eadf455
SHA1f0219285c28b74d223020ef2957cd99c0c6b00dc
SHA2567db3bafa7acbd9f1707411aac175b3825a33639c88a2feec7851acc7cc3fa375
SHA512d87be7981f74751f8b0d95cc0f98292feff3cec1332f636442b7788d48a5a50b457fdde12a87522bc5223b1c536080b36473c5cd446402baee308217a4ff0ada
-
Filesize
555KB
MD58c3244a681b016bda5032d10af658f60
SHA17eb5c556792d7a44e89b25f18ed9bf3cb4ba798f
SHA256f68a970f8830602aa5497693ed6773ca9078c900727c4bdf09061fcf55fbe3df
SHA5126bac24aa93de215abc015b47a46f179066d9bfa6d5fe77ca862fb114fa4358ff241e5f012f3dfe953cf39621a593aa47c2ab20acbb9563f4ac133e9b3146ca8a