Analysis
-
max time kernel
140s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
c073afd8de644949c2c3598230216a66_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c073afd8de644949c2c3598230216a66_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c073afd8de644949c2c3598230216a66_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
c073afd8de644949c2c3598230216a66
-
SHA1
c057eb3365f7be929ffbaa6ffd29a58cea83b9f4
-
SHA256
c6715ca98de9cdaf9e83c8b51d9e64ddbb17fdfb792dca1e8d5d90c167e8204d
-
SHA512
346143dc5c765cda704370dfa5ac67ac40f573f8e51f294bcb1a060042af79dc639abf31d4bae1b129c5a97398a6be798ea01b6dcd79b83a827fc0c6c63952ae
-
SSDEEP
49152:BZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9I:BGIjR1Oh0T0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation c073afd8de644949c2c3598230216a66_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c073afd8de644949c2c3598230216a66_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1676 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1676 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3292 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 3292 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3292 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 3292 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 3292 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3292 wrote to memory of 3540 3292 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 92 PID 3292 wrote to memory of 3540 3292 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 92 PID 3292 wrote to memory of 3540 3292 c073afd8de644949c2c3598230216a66_JaffaCakes118.exe 92 PID 3540 wrote to memory of 1676 3540 cmd.exe 94 PID 3540 wrote to memory of 1676 3540 cmd.exe 94 PID 3540 wrote to memory of 1676 3540 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24436.bat" "C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680
-
C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B2517D336446EA6E60634CA52CA0E_LogFile.txt
Filesize10KB
MD582902efa5f6150b52a85cf3bbdf1571a
SHA16a001febc1a27a38180f8379447ef48b87b5a51f
SHA2561b63b6faf31df104a1d46a542bba5f9ac1364017470805afb3cfad52ac898b30
SHA5125e4c5b5ab82fb96699129c95b2d709ccc4a58b14f6acc52afbeedd099d558591fba269c2316da63ae2ee2173b9f674624ed89c48473202d524f6dd8ad2dd2631
-
C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B2517D336446EA6E60634CA52CA0E_LogFile.txt
Filesize2KB
MD5c0e2005d15ca85b8b0032b5939cc5655
SHA1953ef2d872ffd164142665d3e076d0a55127ef3f
SHA25617367c28e010e828dc6aa1abf73d86136e0b2e33ce886f09365e950955a98ce3
SHA51269642555cbea5de86d600bab7b63b0b0e92fbacf8e986711a4b2004c2696912fc15d149c7c9d011b46ae3e3aba4852d9b791c07fb1f76b9c9c685aeb78a43e74
-
Filesize
113KB
MD51c84506eaaf182f37aae28bee14594f5
SHA103f50088d9649b61ba4bdb9de5bad45847fd1ce1
SHA2564c074f3139d82b90a8235e788179e528b0fc636e1d04c3494976ecc6b01168fc
SHA512bf619e79adf529c77d34926af6fd9349aba81c4e25890ceba58599175fb9987b44e04c6acc5f8227467a0c95e662f458fa4b6a36351ce9e05a0a1d59ec485bad