Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 12:16
Static task
static1
Behavioral task
behavioral1
Sample
f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe
-
Size
14KB
-
MD5
f5fecf633e0665c42ec68086a16f43c7
-
SHA1
f56bc51a58713533362927794161a26049c2421e
-
SHA256
faabb97dd7db86cb73f71f0f7e5bfba6cf9133c928bb0d21c14b6c89ae3acbdc
-
SHA512
2f4925e76b1f0ab51ed701bf77aa82a3f297f6ac2e46f3918203b5a9e28a6a8cec5a301fc16977d334d4d3a0e144dbb81b75c9f49426e4ecc6a0bc73827c01ba
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZ3:hDXWipuE+K3/SSHgx33
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DEMC014.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DEM16EE.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DEM6D2C.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DEMC38A.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation DEM195A.exe -
Executes dropped EXE 6 IoCs
pid Process 2624 DEMC014.exe 3588 DEM16EE.exe 3472 DEM6D2C.exe 4792 DEMC38A.exe 4572 DEM195A.exe 264 DEM6FD7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMC014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM16EE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM6D2C.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMC38A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM195A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM6FD7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2624 2632 f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe 91 PID 2632 wrote to memory of 2624 2632 f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe 91 PID 2632 wrote to memory of 2624 2632 f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe 91 PID 2624 wrote to memory of 3588 2624 DEMC014.exe 95 PID 2624 wrote to memory of 3588 2624 DEMC014.exe 95 PID 2624 wrote to memory of 3588 2624 DEMC014.exe 95 PID 3588 wrote to memory of 3472 3588 DEM16EE.exe 97 PID 3588 wrote to memory of 3472 3588 DEM16EE.exe 97 PID 3588 wrote to memory of 3472 3588 DEM16EE.exe 97 PID 3472 wrote to memory of 4792 3472 DEM6D2C.exe 99 PID 3472 wrote to memory of 4792 3472 DEM6D2C.exe 99 PID 3472 wrote to memory of 4792 3472 DEM6D2C.exe 99 PID 4792 wrote to memory of 4572 4792 DEMC38A.exe 101 PID 4792 wrote to memory of 4572 4792 DEMC38A.exe 101 PID 4792 wrote to memory of 4572 4792 DEMC38A.exe 101 PID 4572 wrote to memory of 264 4572 DEM195A.exe 103 PID 4572 wrote to memory of 264 4572 DEM195A.exe 103 PID 4572 wrote to memory of 264 4572 DEM195A.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5fecf633e0665c42ec68086a16f43c7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\DEMC014.exe"C:\Users\Admin\AppData\Local\Temp\DEMC014.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\DEM16EE.exe"C:\Users\Admin\AppData\Local\Temp\DEM16EE.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\DEM6D2C.exe"C:\Users\Admin\AppData\Local\Temp\DEM6D2C.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\DEMC38A.exe"C:\Users\Admin\AppData\Local\Temp\DEMC38A.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\DEM195A.exe"C:\Users\Admin\AppData\Local\Temp\DEM195A.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\DEM6FD7.exe"C:\Users\Admin\AppData\Local\Temp\DEM6FD7.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:264
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5ec9bc58576ad698e4e5f98228afc54a8
SHA17256f8ba39c479285afa63df2c81719d13cc7a91
SHA2561a6cc5c636a34eb2b0ff4d565e406be5e92377507607a059756283b2417458a2
SHA512821390afe83b6fc876a4409a7776fd84577743d24d762ab2878ee12ef2e630fd0501b44896667c2920d31fe7cfc426b11b13bc44adb721be6d6a0464365a7462
-
Filesize
14KB
MD51f476d8cf393906eb52165fd41a95e0d
SHA1f8cc2e9e6a8a5427bbe9ef7964c249eeab9291c5
SHA2565dd125800a3bee73f7acfaeda4fd078d688fc1436b7ad43bc9bbf4b419efc557
SHA5124122268763829380998fbec56daa5259041f4316108e653c4add938866105fc191fc647ae0d78472504c0b729c641da28c2580a57de2c3a685f5a04ca787e418
-
Filesize
14KB
MD57a2278aeb5b65cc92ef0df831f7a6608
SHA192874fcad4a204d87194201bad70d345554fbae8
SHA25698f61136170c2fec16943e22674ff89f6227cda49840cb28903350fb199e991e
SHA51284cc5321a2ecceab24067dfa44c3023b69ae4d26582d52fcbf2ef086b813d97635b8cff0cefac5a455dae4bbae8c877f32f510b8bc1b3266dbf77f4b5b63e264
-
Filesize
14KB
MD5dc523ebd0668e49b6d56537a605f210c
SHA12e6fdc4aa088d90bb891232ca2198d38f015f3c1
SHA256b6d589e9aacfc94dad8c8e99adee10b68540c8b12390af82d4fa233812f07cad
SHA5124bd8b2cc56216cdaebbd3b3ff2a4f4d873e0a8e4770531a4fe325c90b46abcf21d967b51d63c00bef3ebb02e407d792a13594292147a56e163df8a184e8b8083
-
Filesize
14KB
MD564f9946400b1dd562a711bafcf61d895
SHA1f10f13f7ead5255e11abedbb6143fb425791ef19
SHA2560fc7d9cf38392703f912552dedc340fd6f346a5a2767673b41f131c93c56a635
SHA512e4214ed9fabb31943b8aa19315db62594c4e3dca3826ea471340ea8eaf6aa72b534ad20d2a8e589cf2606053172e7069a023c0c1df62ec905b6c75ed33e2635f
-
Filesize
14KB
MD5fc63cb9a21d4f4ba65d8e458a7926be4
SHA1068c710f4c842fc41fe8889c7d4151d11414259e
SHA25637c1c14640f9aed29d8cf331843c75854d697933127257db28ae43b73750b343
SHA512f60ce8bf1f37f50f25601671a326eb7e10bb57d05e2775f2cf4bb3d30a74bcd9164d7d549b78b7db4645f4a3c4f9627b39e6310a7fcc7cc93f38dbb28c82b310