Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe
-
Size
169KB
-
MD5
dde7cbf86f417af475da245ca768b89b
-
SHA1
697f90b33dd16a9d349824724d35f2ff56fe3a54
-
SHA256
44096f069d68b101bae728c5c3d9b025245962ace023753b1aaa761aff80b880
-
SHA512
99a80b453a9d52f2c69fb4752a451361e9791e8bc615c6327a1d3ccd53c535ee8c6cf281839ba6cf6b736af4a2b93da6d9a54552387d9e3cdd80e36c51cee28e
-
SSDEEP
3072:UNnz4Uk1hIMY8JCLiwMiCQcLUZtFscyB+uSJJtqbqSy1mRsn:UNXkJY8JGCbZ9B+uGi4mRA
Malware Config
Extracted
tofsee
64.20.54.234
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3404 msopn.exe 4944 msopn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\msopn.exe\" /r" dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3592 set thread context of 2020 3592 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 85 PID 3404 set thread context of 4944 3404 msopn.exe 87 PID 4944 set thread context of 396 4944 msopn.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3216 396 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msopn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msopn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3592 wrote to memory of 2020 3592 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 85 PID 3592 wrote to memory of 2020 3592 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 85 PID 3592 wrote to memory of 2020 3592 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 85 PID 3592 wrote to memory of 2020 3592 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 85 PID 3592 wrote to memory of 2020 3592 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 85 PID 3592 wrote to memory of 2020 3592 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 85 PID 3592 wrote to memory of 2020 3592 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 85 PID 3592 wrote to memory of 2020 3592 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 85 PID 2020 wrote to memory of 3404 2020 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 86 PID 2020 wrote to memory of 3404 2020 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 86 PID 2020 wrote to memory of 3404 2020 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 86 PID 3404 wrote to memory of 4944 3404 msopn.exe 87 PID 3404 wrote to memory of 4944 3404 msopn.exe 87 PID 3404 wrote to memory of 4944 3404 msopn.exe 87 PID 3404 wrote to memory of 4944 3404 msopn.exe 87 PID 3404 wrote to memory of 4944 3404 msopn.exe 87 PID 3404 wrote to memory of 4944 3404 msopn.exe 87 PID 3404 wrote to memory of 4944 3404 msopn.exe 87 PID 3404 wrote to memory of 4944 3404 msopn.exe 87 PID 4944 wrote to memory of 396 4944 msopn.exe 88 PID 4944 wrote to memory of 396 4944 msopn.exe 88 PID 4944 wrote to memory of 396 4944 msopn.exe 88 PID 4944 wrote to memory of 396 4944 msopn.exe 88 PID 4944 wrote to memory of 396 4944 msopn.exe 88 PID 2020 wrote to memory of 4780 2020 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 93 PID 2020 wrote to memory of 4780 2020 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 93 PID 2020 wrote to memory of 4780 2020 dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dde7cbf86f417af475da245ca768b89b_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\msopn.exe"C:\Users\Admin\msopn.exe" /r3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\msopn.exe"C:\Users\Admin\msopn.exe" /r4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 3206⤵
- Program crash
PID:3216
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8314.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:4780
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 396 -ip 3961⤵PID:3940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117B
MD5d8a1ccde1e5a8a2f0bc8c55f0f92a32f
SHA17f642679644190656a140576cfd4d01f3ad22c76
SHA2563a94ea1090534686c399a5f7676bc0d8cd5856c9a98625cfb2932c8e88d44d9c
SHA51278044bc9e5ad5c8b1f8eec58c797c2d5dbb7ea22b7e8182fd8fd913180b66bc4006443307dfc7e7933fb8f33c73a51e186e77e92eaad10ee89db00205c6dc697
-
Filesize
169KB
MD5dde7cbf86f417af475da245ca768b89b
SHA1697f90b33dd16a9d349824724d35f2ff56fe3a54
SHA25644096f069d68b101bae728c5c3d9b025245962ace023753b1aaa761aff80b880
SHA51299a80b453a9d52f2c69fb4752a451361e9791e8bc615c6327a1d3ccd53c535ee8c6cf281839ba6cf6b736af4a2b93da6d9a54552387d9e3cdd80e36c51cee28e