Analysis
-
max time kernel
96s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 23:53
Static task
static1
Behavioral task
behavioral1
Sample
d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
d551d69690bafce20d6785ca09a212de
-
SHA1
3bc295ab9dc3b2489110bd257b6a670fc0658bc8
-
SHA256
187cbb78da4f5243104761c4915f9383ef0ace87c8afb0199e9cb8c99f46ffd1
-
SHA512
a4084248936bc316ad6f5f49926bf1ef274c65c703677fa049bb8ad497deb84cadb5b93c98b16c3fdc1c91cd148a40c72353d109b13217c2ccf8ad375b743c4e
-
SSDEEP
24576:bNA3R5drXad7+o0xab9qHt/2kybJdUc1jZFQYcHO6l1l:G5C7/0xK9U/2kybJX1jZ63Tl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 372 nqodgtlmm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nqodgtlmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4040 wrote to memory of 372 4040 d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe 86 PID 4040 wrote to memory of 372 4040 d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe 86 PID 4040 wrote to memory of 372 4040 d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d551d69690bafce20d6785ca09a212de_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\e8948g1482\nqodgtlmm.exe"C:\Users\Admin\e8948g1482\nqodgtlmm.exe" nxujkrdul.xhc2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
646KB
MD5a3e8113ff31e86152d4a384dab4ea102
SHA128cabe6b57d14f6dd47a880c51bc9726d017989f
SHA256d06ea150b0a83b9cf2ef63fdafc9e79a23bfa004c9f42d526499329e0ab1c977
SHA512f34d79e3984e819c2e86e9b75c27985f7f4d8696bd3bf18447b697e127db3f76c707369336925ae941f95053d4e83d1684356d479be2295114d654bb24efb290