Analysis
-
max time kernel
135s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-08-2024 18:58
Static task
static1
Behavioral task
behavioral1
Sample
c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe
-
Size
170KB
-
MD5
c58a6b85fd1ecf61086b52f3a3794a1f
-
SHA1
ab2fcc8ed5ee1d7efdfc808a8caaf54fae5b8f5f
-
SHA256
a96551184842a79eba81afb733e1f2807f7e9fa286c90a183e0ab7e2805b6b97
-
SHA512
7693dca5c4378b2ac57fd5e71551ca7ac740c6192f364c1a2ae987bb4b8591d3167b9a79be8f7023525c3e2335d78286331a096a70946881a301065ce69486ba
-
SSDEEP
3072:TyyL6e5KJOUM8GXLimIolLU+tzjYvOafr2x6ZSdp/s6LIxU:TrWe8oiGnVYdfeZU21
Malware Config
Extracted
tofsee
64.20.54.234
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
lgxdta.exelgxdta.exepid process 3604 lgxdta.exe 1088 lgxdta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\lgxdta.exe\" /r" c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exelgxdta.exelgxdta.exedescription pid process target process PID 3956 set thread context of 2408 3956 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe PID 3604 set thread context of 1088 3604 lgxdta.exe lgxdta.exe PID 1088 set thread context of 3064 1088 lgxdta.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2792 3064 WerFault.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exec58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exelgxdta.exelgxdta.execmd.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lgxdta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lgxdta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exepid process 3956 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exec58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exelgxdta.exelgxdta.exedescription pid process target process PID 3956 wrote to memory of 2408 3956 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe PID 3956 wrote to memory of 2408 3956 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe PID 3956 wrote to memory of 2408 3956 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe PID 3956 wrote to memory of 2408 3956 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe PID 3956 wrote to memory of 2408 3956 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe PID 3956 wrote to memory of 2408 3956 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe PID 3956 wrote to memory of 2408 3956 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe PID 3956 wrote to memory of 2408 3956 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe PID 2408 wrote to memory of 3604 2408 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe lgxdta.exe PID 2408 wrote to memory of 3604 2408 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe lgxdta.exe PID 2408 wrote to memory of 3604 2408 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe lgxdta.exe PID 3604 wrote to memory of 1088 3604 lgxdta.exe lgxdta.exe PID 3604 wrote to memory of 1088 3604 lgxdta.exe lgxdta.exe PID 3604 wrote to memory of 1088 3604 lgxdta.exe lgxdta.exe PID 3604 wrote to memory of 1088 3604 lgxdta.exe lgxdta.exe PID 3604 wrote to memory of 1088 3604 lgxdta.exe lgxdta.exe PID 3604 wrote to memory of 1088 3604 lgxdta.exe lgxdta.exe PID 3604 wrote to memory of 1088 3604 lgxdta.exe lgxdta.exe PID 3604 wrote to memory of 1088 3604 lgxdta.exe lgxdta.exe PID 1088 wrote to memory of 3064 1088 lgxdta.exe svchost.exe PID 1088 wrote to memory of 3064 1088 lgxdta.exe svchost.exe PID 1088 wrote to memory of 3064 1088 lgxdta.exe svchost.exe PID 1088 wrote to memory of 3064 1088 lgxdta.exe svchost.exe PID 1088 wrote to memory of 3064 1088 lgxdta.exe svchost.exe PID 2408 wrote to memory of 1768 2408 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe cmd.exe PID 2408 wrote to memory of 1768 2408 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe cmd.exe PID 2408 wrote to memory of 1768 2408 c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c58a6b85fd1ecf61086b52f3a3794a1f_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\lgxdta.exe"C:\Users\Admin\lgxdta.exe" /r3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\lgxdta.exe"C:\Users\Admin\lgxdta.exe" /r4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 3206⤵
- Program crash
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1306.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3064 -ip 30641⤵PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117B
MD5a25a0f78cb3d73ef5c90e05882c493ee
SHA142561ddfcdc4a96c6e70cdd23a05e9a69ad44a5d
SHA2562e17919ff27dd4793124cfad08c1f31db7f664339a2ba6d17fda22dad67f59eb
SHA512395364e9bc052eac8828e33b79acec1c2ee9e47ebaa599d021269dd0b41007976da531e9922e7fb60a156b5e1547f3c501fc0c2f48dcaa7f6c1da95c899591a3
-
Filesize
170KB
MD5c58a6b85fd1ecf61086b52f3a3794a1f
SHA1ab2fcc8ed5ee1d7efdfc808a8caaf54fae5b8f5f
SHA256a96551184842a79eba81afb733e1f2807f7e9fa286c90a183e0ab7e2805b6b97
SHA5127693dca5c4378b2ac57fd5e71551ca7ac740c6192f364c1a2ae987bb4b8591d3167b9a79be8f7023525c3e2335d78286331a096a70946881a301065ce69486ba