Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 05:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d13b1594bf3131439960679847deafd5_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
General
-
Target
d13b1594bf3131439960679847deafd5_JaffaCakes118.exe
-
Size
695KB
-
MD5
d13b1594bf3131439960679847deafd5
-
SHA1
ade9dfd09c222d4c44c7a1580a2e6fa8ff7f4752
-
SHA256
fbdf8d3c34804ee8b85c721e9ab297d7a4f83a7c24c16d602820d40b6f7896e3
-
SHA512
00541f6ff42ea82edad8da937ce58b169556fdbf3c0dce23fff8902ab0aaca8654106f9b22f3ee9af0884aeb90f249cc82650f546382c2f2e966869622832f63
-
SSDEEP
12288:vYQzgc7nLXYQzgc7sjjkArEN249AyE/rbaMct4bO2/VMvfUwe7ctr:vfgc7nLXfgc7soFE//Tct4bOsCfk7cN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation d13b1594bf3131439960679847deafd5_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2656 UpDatego.exe 4052 IDM Crack For Life.exe 4984 UpDatego.exe -
resource yara_rule behavioral2/files/0x000a000000023427-33.dat upx behavioral2/memory/4052-45-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4984-58-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/4984-60-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/4984-59-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral2/memory/4052-65-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-66-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-67-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-68-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-69-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-70-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-71-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-72-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-73-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-74-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-75-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-76-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-77-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4052-79-0x0000000000400000-0x00000000004D5000-memory.dmp upx -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4052-65-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-66-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-67-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-68-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-69-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-70-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-71-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-72-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-73-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-74-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-75-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-76-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-77-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/memory/4052-79-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1672 set thread context of 2272 1672 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 86 PID 2656 set thread context of 4984 2656 UpDatego.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2300 4984 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpDatego.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IDM Crack For Life.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d13b1594bf3131439960679847deafd5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d13b1594bf3131439960679847deafd5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4052 IDM Crack For Life.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe 4052 IDM Crack For Life.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1672 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 2272 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 2656 UpDatego.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1672 wrote to memory of 2272 1672 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 86 PID 1672 wrote to memory of 2272 1672 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 86 PID 1672 wrote to memory of 2272 1672 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 86 PID 1672 wrote to memory of 2272 1672 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 86 PID 1672 wrote to memory of 2272 1672 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 86 PID 1672 wrote to memory of 2272 1672 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 86 PID 1672 wrote to memory of 2272 1672 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 86 PID 1672 wrote to memory of 2272 1672 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 86 PID 2272 wrote to memory of 2656 2272 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 87 PID 2272 wrote to memory of 2656 2272 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 87 PID 2272 wrote to memory of 2656 2272 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 87 PID 2272 wrote to memory of 4052 2272 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 88 PID 2272 wrote to memory of 4052 2272 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 88 PID 2272 wrote to memory of 4052 2272 d13b1594bf3131439960679847deafd5_JaffaCakes118.exe 88 PID 2656 wrote to memory of 4984 2656 UpDatego.exe 89 PID 2656 wrote to memory of 4984 2656 UpDatego.exe 89 PID 2656 wrote to memory of 4984 2656 UpDatego.exe 89 PID 2656 wrote to memory of 4984 2656 UpDatego.exe 89 PID 2656 wrote to memory of 4984 2656 UpDatego.exe 89 PID 2656 wrote to memory of 4984 2656 UpDatego.exe 89 PID 2656 wrote to memory of 4984 2656 UpDatego.exe 89 PID 2656 wrote to memory of 4984 2656 UpDatego.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d13b1594bf3131439960679847deafd5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d13b1594bf3131439960679847deafd5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\d13b1594bf3131439960679847deafd5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d13b1594bf3131439960679847deafd5_JaffaCakes118.exe2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\UpDatego.exe"C:\Users\Admin\AppData\Local\Temp\UpDatego.exe" 03⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\UpDatego.exeC:\Users\Admin\AppData\Local\Temp\UpDatego.exe4⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 125⤵
- Program crash
PID:2300
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IDM Crack For Life.exe"C:\Users\Admin\AppData\Local\Temp\IDM Crack For Life.exe" 03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 49841⤵PID:2160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD51c6a205f8b6d6ba5645eac10ef3cfbe7
SHA12902159f0c78a4192b2385c5eca0e5b1fafdd9d9
SHA256a781792f6cc057126775aac88d2eb79a69aa6ee16812218727601f7e1c67fc42
SHA5128ca0ecb77239a1cf0f7ab166fd7a735cb2981f4d1fd353c4ccfadc0cf520762e620399a67bed95048437d57f1269b5829c08fbfe993b9486eda91ced5dc26fbe
-
Filesize
137KB
MD5398be27911af29d90226c3e1ec4722c8
SHA1844b3924a68e6b37be243034fabd5f631e9e7e7c
SHA2565af3b014af8111ff4a228c10a0b1350e8b2cc66705de71204997a8f46481a068
SHA512bd7b2de7dbb2c7f7dd9bfd87ce6926c400d9c39bebf7cc3e99c181441f4971b84d56c2cfb4dabb104145416c7c4777a2fe49a333776e2bb5293748efd972e0a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\88603cb2913a7df3fbd16b5f958e6447_03d68389-5a68-4d9e-92ac-47b927e624dd
Filesize51B
MD55fc2ac2a310f49c14d195230b91a8885
SHA190855cc11136ba31758fe33b5cf9571f9a104879
SHA256374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092
SHA512ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3