Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2024 11:34
Behavioral task
behavioral1
Sample
c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe
-
Size
108KB
-
MD5
c8bd995346f61308e200199c7e041b3c
-
SHA1
46a39c9425bff794916493459f8bffd9e6915af4
-
SHA256
9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f
-
SHA512
9f820d527a5b05d8003d3350ef2428f6d956ec63b42f3d9097df9989f1d1a219841ebe4959eb75c7cc3ab9e36dbebab0e32d9cfc49c114bfc2d7a30373124755
-
SSDEEP
3072:FCrRG9LgWHyMp6awrpEoNLna7TpP7N5LtgxH:FCrskJaYvn+PdgB
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
relatedwhole.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 relatedwhole.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 relatedwhole.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE relatedwhole.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies relatedwhole.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
relatedwhole.exec8bd995346f61308e200199c7e041b3c_JaffaCakes118.exec8bd995346f61308e200199c7e041b3c_JaffaCakes118.exerelatedwhole.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language relatedwhole.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language relatedwhole.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
relatedwhole.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix relatedwhole.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" relatedwhole.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" relatedwhole.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
relatedwhole.exepid process 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe 3848 relatedwhole.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exepid process 4912 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exerelatedwhole.exedescription pid process target process PID 4228 wrote to memory of 4912 4228 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe PID 4228 wrote to memory of 4912 4228 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe PID 4228 wrote to memory of 4912 4228 c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe PID 3916 wrote to memory of 3848 3916 relatedwhole.exe relatedwhole.exe PID 3916 wrote to memory of 3848 3916 relatedwhole.exe relatedwhole.exe PID 3916 wrote to memory of 3848 3916 relatedwhole.exe relatedwhole.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\c8bd995346f61308e200199c7e041b3c_JaffaCakes118.exe--1a5a73cf2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:4912
-
C:\Windows\SysWOW64\relatedwhole.exe"C:\Windows\SysWOW64\relatedwhole.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\relatedwhole.exe--45cf80fe2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3848