Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe
-
Size
912KB
-
MD5
c034385d3bce2dbfaa6fae6fdb01acf8
-
SHA1
43bbe43caa92eb6bb65e4e3fa47e009544f5a9ab
-
SHA256
f7fd924769734f2896f2f66dd9a637ac59b61183c2a1f2e35c45a2406cff3eaa
-
SHA512
13e7a39b7ae488e7e1eefad577ec497e4a4d7b634f78bc25d2c5fd3be09c8b019662f2d0f838d593e80e31a8dc9393c04c72c7fa3d51062a442d17678bf946c8
-
SSDEEP
24576:Y5zG2TlMnq9ClXXmF9/2vf3IXwLuIjyKWEgX52O:H2TlMhXzv+CsKWEQ
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "146944" WitqCBLnVawzC.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\WitqCBLnVawzC WitqCBLnVawzC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WitqCBLnVawzC.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" WitqCBLnVawzC.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main WitqCBLnVawzC.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4376 c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4584 WitqCBLnVawzC.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4584 WitqCBLnVawzC.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4376 c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe 4584 WitqCBLnVawzC.exe 4584 WitqCBLnVawzC.exe 4584 WitqCBLnVawzC.exe 4584 WitqCBLnVawzC.exe 4584 WitqCBLnVawzC.exe 4584 WitqCBLnVawzC.exe 4584 WitqCBLnVawzC.exe 4584 WitqCBLnVawzC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4376 wrote to memory of 4584 4376 c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe 87 PID 4376 wrote to memory of 4584 4376 c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe 87 PID 4376 wrote to memory of 4584 4376 c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c034385d3bce2dbfaa6fae6fdb01acf8_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\PROGRA~3\WitqCBLnVawzC.exeC:\PROGRA~3\WitqCBLnVawzC.exe2⤵
- Manipulates Digital Signatures
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4584
-