Analysis
-
max time kernel
84s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$_3_.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$_3_.exe
Resource
win10v2004-20240802-en
General
-
Target
c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
-
Size
967KB
-
MD5
c07392e48322e4efde24d759d27262f5
-
SHA1
b1c17d7a9ee01164f79aefbab2d9d792648136b1
-
SHA256
517dc10df7fda0b7334a76c8e34d638562f32f724e45f8f8e91f7729c6c41f2a
-
SHA512
9ae4e28ea9554801dbfb3ecc15e54c77bf085bc266338993939dcff797702747ab6b7c3a035bdcd145209d2cbf190f513ea07f175160c2d7127e9ddd9d306e16
-
SSDEEP
24576:5tXCT35bEN60Yc/rMegvH6RK1aeGokgwH8:5KBtV6MjvH6RIrDC8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 936 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3892 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3892 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 936 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 936 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 936 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 936 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 936 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4496 wrote to memory of 936 4496 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 85 PID 4496 wrote to memory of 936 4496 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 85 PID 4496 wrote to memory of 936 4496 c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 85 PID 936 wrote to memory of 1316 936 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 93 PID 936 wrote to memory of 1316 936 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 93 PID 936 wrote to memory of 1316 936 internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe 93 PID 1316 wrote to memory of 3892 1316 cmd.exe 95 PID 1316 wrote to memory of 3892 1316 cmd.exe 95 PID 1316 wrote to memory of 3892 1316 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nscBE22.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nscBE22.tmp/fallbackfiles/'2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\789.bat" "C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 1 -w 10004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3892
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5739fcc7ba42b209fe44bea47e7a8c48f
SHA1bc7a448a7c018133edcf012bc94301623eb42c5b
SHA25669017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c
SHA5122b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a
-
C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\A8A835AC0247414D92C96EC2E92CE1E0_LogFile.txt
Filesize9KB
MD5833860e26b3f534723d959ea629b6bc8
SHA1694111dc04e95081722cfe2e997db698051793e5
SHA2564a5b2f001c920a5e04e242860391df15f6e78fd4d0b3d2a5f419a4d1636805c4
SHA5126aa92e450d4517ceb3b03a2c321cd300d713109a8e9587348e5059363691058cb05c793b8dc2be7187329dee4c1d3a50ca61f0a8a61746896d70540092bcf50f
-
Filesize
124KB
MD50bad3d097a9fad0fc4281cf3ae1e1f3d
SHA11c0cd92bd5ca94fdd96b9bb8796bc5c663b49686
SHA2560720ac35aad0076731a380aac1ed36552f74727368398dc50a5cc8021354841d
SHA5120da321014b0805335f82e8c351ce4a132066ac641091245f9a5a60b899bff538bd0aab0a0f7820c51838c3b97a21346f256a0560c0d56c4df2396853a3ddb4e7
-
C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
Filesize1.8MB
MD577bfacca17ee1d89833b57f3a746d9a0
SHA1aa9490c913489c5eafd02f67f875efcb56d23036
SHA25638571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA51221ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f
-
C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_icon.ico
Filesize11KB
MD5592abe695d3fb84c8a7589b0d2553a97
SHA1d70d6de6fa25ca1924bd02b84075ee94f3870133
SHA256ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0
SHA512a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978
-
C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_splash.png
Filesize136KB
MD50a8589de904eec91522c276d896216c4
SHA158ba5e9158c3afa3c3112fe1e24567996794c07e
SHA256496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55
SHA512bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd