Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 18:38

General

  • Target

    fce8a58a2c04e9d1ff187fe00f9d7855_JaffaCakes118.exe

  • Size

    172KB

  • MD5

    fce8a58a2c04e9d1ff187fe00f9d7855

  • SHA1

    d4d5d68d9eef403cc12fce98b16d28ee45c12a6a

  • SHA256

    d94122dea471e57dc30764b3e35757ad6e9a296cd37c9aa1814262d4f215f8a9

  • SHA512

    400f8a19ff00a131443b484468fe8f4bd2f6d34db996e8f798ad3c4257e483f613b11f688109e2d3cddcb5cd3e54efee18ddfb4c7b97597fe921198853bbcd95

  • SSDEEP

    3072:Nb70yxAvwBD1yyoJueXNym40kf5rIGn5sKI+lWC3xnE235eDNCezA4L6U0tqC6Ut:Nb9PD4VJlXNym40kf5rIGn5sKIjC3xn2

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fce8a58a2c04e9d1ff187fe00f9d7855_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fce8a58a2c04e9d1ff187fe00f9d7855_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Users\Admin\tdwih.exe
      "C:\Users\Admin\tdwih.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\tdwih.exe

    Filesize

    172KB

    MD5

    0a24aaca472a1abb7b125ecdb5ec8233

    SHA1

    230a05afbf36dbcf507a12b47b857ff63d63af0b

    SHA256

    160235cbb2e89dea9cfcffabb46697e0ac990bd9164dfbf991df1a8a4c083b7a

    SHA512

    25de3db96699460f39b64697a8e74eaf8defdd39014690638cb59ad126feed4c553d9f61313de10090331ef131682c8411baf13d241908e1914379127cd896cb