Analysis
-
max time kernel
104s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe
-
Size
734KB
-
MD5
d594e8a2098a81c9bfa24f3c17c992e6
-
SHA1
b9c820973407c7b4bef5b9ce98b7af62cafa397d
-
SHA256
fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d
-
SHA512
50049d1ded3f8cfcb6aa839c0341e91bb39b46dbd5376533f2725ce27e6ae5059d3f5af71100dd025b03b7a3cf90bfa920a93818ac1bafb30c65460514c4fd47
-
SSDEEP
12288:EY20AljdZgBPfKfi1leppjfQxAogJfqsUsz0cX0rLfGLEXTMd8MQ5B5rxVCz:Z20gPgFKLfQxAVBbIcXQGL+MWMwTrxMz
Malware Config
Extracted
dridex
10555
151.236.219.181:443
142.4.6.57:14043
162.144.127.197:3786
103.40.116.68:5443
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4852 attrib.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 732 PLS.exe -
Loads dropped DLL 1 IoCs
pid Process 4768 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PLS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Delays execution with timeout.exe 4 IoCs
pid Process 1900 timeout.exe 1324 timeout.exe 4488 timeout.exe 3524 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4476 wrote to memory of 1224 4476 d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe 86 PID 4476 wrote to memory of 1224 4476 d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe 86 PID 4476 wrote to memory of 1224 4476 d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe 86 PID 1224 wrote to memory of 2276 1224 WScript.exe 87 PID 1224 wrote to memory of 2276 1224 WScript.exe 87 PID 1224 wrote to memory of 2276 1224 WScript.exe 87 PID 2276 wrote to memory of 1900 2276 cmd.exe 89 PID 2276 wrote to memory of 1900 2276 cmd.exe 89 PID 2276 wrote to memory of 1900 2276 cmd.exe 89 PID 2276 wrote to memory of 732 2276 cmd.exe 94 PID 2276 wrote to memory of 732 2276 cmd.exe 94 PID 2276 wrote to memory of 732 2276 cmd.exe 94 PID 2276 wrote to memory of 1324 2276 cmd.exe 95 PID 2276 wrote to memory of 1324 2276 cmd.exe 95 PID 2276 wrote to memory of 1324 2276 cmd.exe 95 PID 2276 wrote to memory of 4512 2276 cmd.exe 97 PID 2276 wrote to memory of 4512 2276 cmd.exe 97 PID 2276 wrote to memory of 4512 2276 cmd.exe 97 PID 2276 wrote to memory of 4488 2276 cmd.exe 98 PID 2276 wrote to memory of 4488 2276 cmd.exe 98 PID 2276 wrote to memory of 4488 2276 cmd.exe 98 PID 4512 wrote to memory of 3824 4512 WScript.exe 99 PID 4512 wrote to memory of 3824 4512 WScript.exe 99 PID 4512 wrote to memory of 3824 4512 WScript.exe 99 PID 3824 wrote to memory of 4852 3824 cmd.exe 101 PID 3824 wrote to memory of 4852 3824 cmd.exe 101 PID 3824 wrote to memory of 4852 3824 cmd.exe 101 PID 3824 wrote to memory of 3524 3824 cmd.exe 102 PID 3824 wrote to memory of 3524 3824 cmd.exe 102 PID 3824 wrote to memory of 3524 3824 cmd.exe 102 PID 3824 wrote to memory of 4768 3824 cmd.exe 105 PID 3824 wrote to memory of 4768 3824 cmd.exe 105 PID 3824 wrote to memory of 4768 3824 cmd.exe 105 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4852 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\XIU\configurate\selector.vbs" /f=CREATE_NO_WINDOW install.cmd2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\XIU\configurate\dsep.bat" "3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1900
-
-
C:\XIU\configurate\PLS.exe"PLS.exe" e -pVersion hl.rar4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:732
-
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1324
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\XIU\configurate\fatless.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\XIU\configurate\lll.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\XIU"6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4852
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3524
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s CONFIG.dll6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4768
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4488
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324KB
MD5031f318c8ab815cda0d447904a925cf7
SHA12bbca22cb0355f1ad4acedd9dd69ebaaeddf6b9e
SHA2569492c6842475059a6af7f4b8c42e03944f08938243fa393713a5a6a930d79bcd
SHA512519a54859e82861cf3f73b3a6ac400b57bd560a53867b8396aa8c286a5ee4e675c75c3f80ddc0cb4e0ef80300ada6b4e985bd4bb73bdc8d1c56a673240a83c4d
-
Filesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
Filesize
212KB
MD524fdf4791a3efa0178e677b0e03c12b1
SHA1f5f45b8c35cf303eff77aa1fbe02e9bd4318c7d7
SHA2566740389c8266848199851648c4228df7401dd30c8dec89ab7827f1bec7ab522b
SHA512f9b71717cdd61a9539dd93267f4d039e0de7dd8933b9f63679466a881884b06ccdc666d27bb6b9909127101a63879b33a1165a83fff9d6ce3009ed5e7b97b6da
-
Filesize
569B
MD59318a04c2d4d80719382a7e73c28736b
SHA1ddb5096d2841b575a941ecaf79fee8e2365563ae
SHA256db74d354ad34fa9a0dafd9b846574855b480590ebf06879d87844060cf50ff4b
SHA5120dd33ebf730e77a1d55996b14a560f1584e17e55e5a6efdedd3bce2ecdd0e7f892c9ae2b4bef8ee68a723ef9d02717e9f9fb3939f1b95cacaeacd29b28e70717
-
Filesize
99B
MD575214af723ca4720e0aa365eb3ef6f5b
SHA1a6b73a92246cd3b857e32e2a8a26ee8fc52fdcb4
SHA25606d4a788d4c91c141b933199826ac3b4df8d6027f818fc2b198043773ea132e4
SHA51291b7752a63e694641f17187cdb8e1a7876eda195f3070d6fee210b6210e2897833bc08b770db6e82cfec7a99e3fae5c01588872eb2aa60dccdc4064363f54c58
-
Filesize
692B
MD570c1b14895a29502d3e94e395606f82d
SHA1a02fff1f3a0c1c8ff5453a5de715cbe5ba227185
SHA256b449d3d5b476b1a53bbe6b5d6fef93e89d8456450e84b1c349237c6a8df3b65d
SHA5128f9a8975124738b7a5ad1e0d92549f45a06c6efa8fac7d3c07ce16399a6aeed5644c14bf56cec56c83a293835cfb994a99d3e75dc5e9ea7f41e9e354760f742c
-
Filesize
82B
MD59cce3084f1850c3be989cc47fab4ee71
SHA1e490f01a46f85c155c2848affda6d2c7b0791c8b
SHA256332462b21eed1bcbd9c198851e28b789893628410e7268ddc022a40e2f7f94c1
SHA51230cc59e8e1a5b20a1c59bb437dc96cf65f7bbfa798617a77a613ae89012be78bda38c51278411ba511a7058eaca728e160a0d6d29f5defaeafa4dc7f64458f88