Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 00:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe
-
Size
324KB
-
MD5
ea3c5325797dfbf413281cc20885581b
-
SHA1
e218c146cbda11e62f1111db31666c285144d1e5
-
SHA256
4e8e7dde7d477a8fdc92801a07ad360a0dcb61b9b3b2b94821c5d1939510c50e
-
SHA512
ec0c7394b50ff431b65dc51d45644f4809d190f6a09883d5b7fc8628cdd9fbcc8a1d506d587f4107b400d65c4fe438d974e71214305dcde29f55b174b5fcbd32
-
SSDEEP
6144:g0ORT9A65pP1wlYgrN1y6V1X1RonMequ8+my5ET7a8IzYchYfUpDF:VCA65XwlYgrHy6V17kr8+m73a86nzpDF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 1040 PIserver'.exe 3648 XYZ.exe 4200 PIserver'.exe -
resource yara_rule behavioral2/files/0x0007000000023623-14.dat upx behavioral2/memory/3648-22-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-23-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-24-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-25-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-26-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-27-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-28-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-29-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-30-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-31-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-32-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-33-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-34-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-35-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-36-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3648-37-0x0000000000400000-0x0000000000498000-memory.dmp upx -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3648-23-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-24-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-25-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-26-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-27-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-28-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-29-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-30-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-31-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-32-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-33-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-34-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-35-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-36-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe behavioral2/memory/3648-37-0x0000000000400000-0x0000000000498000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3500 4200 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PIserver'.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XYZ.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3648 XYZ.exe 3648 XYZ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3648 XYZ.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe 3648 XYZ.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1948 ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1948 wrote to memory of 1040 1948 ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe 89 PID 1948 wrote to memory of 1040 1948 ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe 89 PID 1948 wrote to memory of 1040 1948 ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe 89 PID 1948 wrote to memory of 3648 1948 ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe 90 PID 1948 wrote to memory of 3648 1948 ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe 90 PID 1948 wrote to memory of 3648 1948 ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe 90 PID 1040 wrote to memory of 4200 1040 PIserver'.exe 91 PID 1040 wrote to memory of 4200 1040 PIserver'.exe 91 PID 1040 wrote to memory of 4200 1040 PIserver'.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea3c5325797dfbf413281cc20885581b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\PIserver'.exe"C:\Users\Admin\AppData\Local\Temp\PIserver'.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\PIserver'.exeStubPath3⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 4604⤵
- Program crash
PID:3500
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\XYZ.exe"C:\Users\Admin\AppData\Local\Temp\XYZ.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4200 -ip 42001⤵PID:1716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:81⤵PID:4780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD59d70a7247f7d47f7a51434da4efe0264
SHA1e27c48bf7e34c7fc86a5899942fdc458024c6d70
SHA256a4fcc801ad1734b1e977e45764fe3197b714a65b965c580d0ed31f7104d96837
SHA512917ef9f6df11f7cef3d692383ca75de56efee5b01a7ebd03cd8165b95e4fb4d491bdb27b51e59ba7b6c9dec08168322a5eb5b0b99e6529091ec80b93facdeb9b
-
Filesize
292KB
MD50e664fa74e2348b6af56b140b3f43583
SHA19460d91f80ba9a170b890ea03ea1653ad7a170bf
SHA256d62cc922c2e5aee8621ef61a7ad2ec7ef1e6239ea73844df2d219af53886c140
SHA512bce0e7dcd53cd7acbaa86a68735c0a5e02a3492543d1743cd4db22bc1b2e6bdc4063883d884f9929677061d741a1116f09e15c4eefd6cebf199b4995120c5b75