Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 00:51
Static task
static1
Behavioral task
behavioral1
Sample
eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe
-
Size
252KB
-
MD5
eec2a5cc875cd35d9334725f1a6f926c
-
SHA1
5ada78b6e5f667996a58246de1ad0453d6eff026
-
SHA256
50709a83b665c2d2286d16395a93034a9e1b518fcbf4767646cd33d6894e38b9
-
SHA512
f39f8fa9c31203a6fff5cf30f533c5c3ca8f68a9993f680131be6e3a843d61f609a455abb69686f7eba5cd96904908954c442743202920297a9649ff8c879126
-
SSDEEP
6144:tCYfPnqFymR5uadElSdEi32oto3PZ3SZmRSu3G:UYnnqQmnu8kvimotKPZCZ6Su3G
Malware Config
Signatures
-
Dave packer 3 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
resource yara_rule behavioral2/memory/640-4-0x0000000000AF0000-0x0000000000B22000-memory.dmp dave behavioral2/memory/640-0-0x00000000022E0000-0x0000000002315000-memory.dmp dave behavioral2/memory/3580-16-0x00000000039C0000-0x00000000039F5000-memory.dmp dave -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3580 љр号后跟تت.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language љр号后跟تت.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 640 eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe 640 eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe 3580 љр号后跟تت.exe 3580 љр号后跟تت.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 640 wrote to memory of 3580 640 eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe 91 PID 640 wrote to memory of 3580 640 eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe 91 PID 640 wrote to memory of 3580 640 eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe 91 PID 3580 wrote to memory of 3576 3580 љр号后跟تت.exe 98 PID 3580 wrote to memory of 3576 3580 љр号后跟تت.exe 98 PID 3580 wrote to memory of 3576 3580 љр号后跟تت.exe 98 PID 3580 wrote to memory of 3576 3580 љр号后跟تت.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eec2a5cc875cd35d9334725f1a6f926c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
C:\ProgramData\љр号后跟تت.exe"C:\ProgramData\љр号后跟تت.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3576
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:81⤵PID:4824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5eec2a5cc875cd35d9334725f1a6f926c
SHA15ada78b6e5f667996a58246de1ad0453d6eff026
SHA25650709a83b665c2d2286d16395a93034a9e1b518fcbf4767646cd33d6894e38b9
SHA512f39f8fa9c31203a6fff5cf30f533c5c3ca8f68a9993f680131be6e3a843d61f609a455abb69686f7eba5cd96904908954c442743202920297a9649ff8c879126