Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-09-2024 10:37
Static task
static1
Behavioral task
behavioral1
Sample
da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe
-
Size
191KB
-
MD5
da293fbfe127cef0a67607e4113e2276
-
SHA1
38ec2a9b15825f6037fa1f640f41aedacc0da89e
-
SHA256
2751ffc40e29cde0dc8ff2c99bf40ebd191011215be95539d8cb3dcdd38483be
-
SHA512
12d60a2c9051c626efe0c24c97508786afdb6f9f6907721d1bc386f98ee1bbd3d3977b05f381115df98c7c0814bf5be5ce9bc53a3d9360a30f9c08c0f207e6eb
-
SSDEEP
3072:y04gFmx6HgZ6mBsN7foc2GOfAD5In+Y8CQdwvj8C9jtq3Sm3j5n8s2x3Ws0L3amh:ogFmx6Hmcwc2G/9UHtBjg3SOjYWj2aK
Malware Config
Signatures
-
Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe -
Loads dropped DLL 5 IoCs
pid Process 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe 4628 rundll32.exe 3648 Process not Found 2484 cmd.exe 1340 attrib.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\netisetx64.dll da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\netisetx.dll da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3388 wrote to memory of 4628 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe 93 PID 3388 wrote to memory of 4628 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe 93 PID 3388 wrote to memory of 2484 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe 95 PID 3388 wrote to memory of 2484 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe 95 PID 3388 wrote to memory of 2484 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe 95 PID 3388 wrote to memory of 2484 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe 95 PID 3388 wrote to memory of 2484 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe 95 PID 3388 wrote to memory of 2484 3388 da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe 95 PID 2484 wrote to memory of 1340 2484 cmd.exe 99 PID 2484 wrote to memory of 1340 2484 cmd.exe 99 PID 2484 wrote to memory of 1340 2484 cmd.exe 99 PID 2484 wrote to memory of 1340 2484 cmd.exe 99 PID 2484 wrote to memory of 1340 2484 cmd.exe 99 PID 2484 wrote to memory of 1340 2484 cmd.exe 99 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1340 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\netisetx64.dll",CreateProcessNotify2⤵
- Loads dropped DLL
PID:4628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240650062.bat" "C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\da293fbfe127cef0a67607e4113e2276_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1340
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request134.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request65.139.73.23.in-addr.arpaIN PTRResponse65.139.73.23.in-addr.arpaIN PTRa23-73-139-65deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
134.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
65.139.73.23.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75B
MD5211433a8d7350dd8392a69cde0638d6d
SHA1c776f904296dd02939f518eeb6885580d09504e1
SHA25651f5b8df6058ec718c584100e19ca9fcf236fa8e2068241e5699e2589c124417
SHA512e63f155e2a112a13c952fab54a3746446948e11a2e71d11e2a5495b05a7e35f08d9b00840597e3af0019c0e19f786c527f0b28eb9c6db2471f1198d84381460c
-
Filesize
55KB
MD58d5add4097a742837ec101015cf23354
SHA1386c2c3994f64551dbef069a78220e4968105105
SHA256b561ff6cb2623dfe6a376236d1aeac0f0111a4e6abe4eee18f6cf04c08f8c5eb
SHA51231302754f99f6101518633e7566d05b14ef9c4d88233ce11c19e1bb92cfaba2e172d4cd835eabc687ba6bbd1f45702de8c782fbd84e1f2451a3a09de6d1a510f
-
Filesize
61KB
MD5cde6aca8ce75c23e287b04f634cb652a
SHA16320d03cd7124cd98d81bf9f10812db1689b9843
SHA2565914e26e3b3fc5f58680b50af6cbf566780517ae6c81aac864380eda6f83149f
SHA512aca6895f9e0072370ff63d0bfadd819db4e1f3b52ad59053036fdddd460ef324256631030c8b18e541847e236b52be2041c131c80f8fc3a1dae6c5c4e87f40c2