Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 11:54
Static task
static1
Behavioral task
behavioral1
Sample
efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
-
Size
369KB
-
MD5
efbcb62c2f180599cbe7d4925e30324b
-
SHA1
a41da44737478a6b2180639dbf931754a04d5ee8
-
SHA256
5eb32845ec057e47ed62d0ac3f86cfa7a11f94caa95038e6f07929c35e0c555b
-
SHA512
1797f314186f51ccc246728e99260f581fe370593b0390a79068b6bd811da9231cd1583230bb460e4d1b84fa32fb779887cebc9a884128c21b44d8d0a0a3cb61
-
SSDEEP
6144:UQqOAE4QqtfosaF2pC3gRrxFNQ1EwU4hQ1lxKuPIYt1Iy8tZSIOZrc5ovh2/juMl:7AEwoHF8/rxTR9vx1gYo5t7OZrWfhz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation cfÎÏţ͸ÊÓ.tmp -
Executes dropped EXE 3 IoCs
pid Process 4996 cfÎÏţ͸ÊÓ.exe 3196 ÎÏţ͸ÊÓ.exe 3812 cfÎÏţ͸ÊÓ.tmp -
resource yara_rule behavioral2/files/0x00080000000234db-15.dat vmprotect behavioral2/memory/3196-22-0x0000000000400000-0x000000000042B000-memory.dmp vmprotect behavioral2/memory/3196-26-0x0000000000400000-0x000000000042B000-memory.dmp vmprotect behavioral2/memory/3196-53-0x0000000000400000-0x000000000042B000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3196 ÎÏţ͸ÊÓ.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\DcomServer\DcomServer.exe cfÎÏţ͸ÊÓ.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfÎÏţ͸ÊÓ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ÎÏţ͸ÊÓ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfÎÏţ͸ÊÓ.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe -
Kills process with taskkill 1 IoCs
pid Process 4880 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4880 taskkill.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3196 ÎÏţ͸ÊÓ.exe 3196 ÎÏţ͸ÊÓ.exe 3196 ÎÏţ͸ÊÓ.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 5100 wrote to memory of 4996 5100 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 84 PID 5100 wrote to memory of 4996 5100 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 84 PID 5100 wrote to memory of 4996 5100 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 84 PID 5100 wrote to memory of 3196 5100 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 85 PID 5100 wrote to memory of 3196 5100 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 85 PID 5100 wrote to memory of 3196 5100 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 85 PID 4996 wrote to memory of 3812 4996 cfÎÏţ͸ÊÓ.exe 86 PID 4996 wrote to memory of 3812 4996 cfÎÏţ͸ÊÓ.exe 86 PID 4996 wrote to memory of 3812 4996 cfÎÏţ͸ÊÓ.exe 86 PID 3196 wrote to memory of 3704 3196 ÎÏţ͸ÊÓ.exe 87 PID 3196 wrote to memory of 3704 3196 ÎÏţ͸ÊÓ.exe 87 PID 3196 wrote to memory of 3704 3196 ÎÏţ͸ÊÓ.exe 87 PID 3196 wrote to memory of 2084 3196 ÎÏţ͸ÊÓ.exe 88 PID 3196 wrote to memory of 2084 3196 ÎÏţ͸ÊÓ.exe 88 PID 3196 wrote to memory of 2084 3196 ÎÏţ͸ÊÓ.exe 88 PID 2084 wrote to memory of 4880 2084 cmd.exe 90 PID 2084 wrote to memory of 4880 2084 cmd.exe 90 PID 2084 wrote to memory of 4880 2084 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\cfÎÏţ͸ÊÓ.exe"C:\Users\Admin\AppData\Local\Temp\cfÎÏţ͸ÊÓ.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\is-LG12B.tmp\cfÎÏţ͸ÊÓ.tmp"C:\Users\Admin\AppData\Local\Temp\is-LG12B.tmp\cfÎÏţ͸ÊÓ.tmp" /SL5="$901DE,53248,53248,C:\Users\Admin\AppData\Local\Temp\cfÎÏţ͸ÊÓ.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3812
-
-
-
C:\Users\Admin\AppData\Local\Temp\ÎÏţ͸ÊÓ.exe"C:\Users\Admin\AppData\Local\Temp\ÎÏţ͸ÊÓ.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 C:\WINDOWS\system32\shdocvw.dll /s3⤵
- System Location Discovery: System Language Discovery
PID:3704
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im empty.dat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im empty.dat4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD55e3812d33b1c435db63bccf731438791
SHA1879647516dd5ae0502cad6bd1c1cc2ea2d42c6d0
SHA2563a07075a82de5dadd35479f057996673a953c8db0a44402b56c839f5a29520b2
SHA512616ef8465c37d89a29c449eb477fc78b9e6bf39ce45e94345be762e30fc16ff772f7083694479c6867328f68e45785b948b8bb22a145e27b0a57cfe40a8e8ac2
-
Filesize
293KB
MD50c4bc62787fc144a93b21a94677bb3ad
SHA13264002ac77ffa02579ace7922446eb26fc62cf5
SHA256b8b724b34b232d6a642d358b0dee70fd0db52be6e24386d799cd44b7812025eb
SHA5121c566783b903ed9c064a10cbb034b42db73627b7fd5ab22b3ec012bc517e8e583fa72bdabccf5ab047c1e27be1e3d6f8159f4f675217b0348ca58991875c34b7
-
Filesize
681KB
MD58e3e4508030c1ffdb0196309114eb841
SHA133656ec0c5b5ab8ce4ac566be0a95a96ec4ac40c
SHA2566d9b3b086a0cd15c9fd32cf639c61e52d4d928d0112a7bb75e95f010e995dd2b
SHA5126f16872abeb2de9ce3d881cf4b13778af03a305b068e99a8e59735bd4c13b5ad6f24a7aa44c2327cbfbb8351324ab85bb2157d719249fa29eb6f46061badffa4
-
Filesize
84KB
MD5cba0fa0915bf758b46c8a67ff2e5f5b5
SHA1de0997c8671074c632c27fbf17c657d1c4219ff4
SHA2566a3f90d5b0a892386a31473e72a07736e2f11a7aa1c95f43e483f8fd27452b5a
SHA5120b925dfad6caa5ba59ceba727f71b97f16e919cee178c15886f563955d5abcbdc72e4c2b17e6a18267ef7bd74ac2e2128d5e361105834711c71ffc27cc9ac479