Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2024 20:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe
-
Size
60KB
-
MD5
0748886fcd34a6df25786cac4c85b368
-
SHA1
95db639907243f34ef7695082801e48605c78f63
-
SHA256
76c325dd2c7f5d3891f11fe6cd0af0618f35c98e508eef3840ef8c1438df27a6
-
SHA512
ca6597c681f21da160abb4e4e1b928e7a81b966c1d4455cd3818c40cfe43af5454c4f29efbe8dbdc6e89c10825d0903e580ff5e5e8d8053484d2bdcea7afac54
-
SSDEEP
768:+Xdx1BIFeaEtirGxj2D2n/z/D0lbdfs3OfKDHGqHg6WBM:+Xh5a9rsj2a/Dxg6WBM
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gomen.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2820 gomen.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gomen = "C:\\Users\\Admin\\gomen.exe" gomen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gomen.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe 2820 gomen.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1376 0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe 2820 gomen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1376 wrote to memory of 2820 1376 0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe 82 PID 1376 wrote to memory of 2820 1376 0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe 82 PID 1376 wrote to memory of 2820 1376 0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe 82 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81 PID 2820 wrote to memory of 1376 2820 gomen.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0748886fcd34a6df25786cac4c85b368_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\gomen.exe"C:\Users\Admin\gomen.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5f33667063d61f48506fa9bd521a4e97b
SHA18e58413e526e9a785d11095fe2f093fad8b5654a
SHA25684e01dba968fa5496d015baa68cf7eeb49efadb7c58ca4830ff1faa8809eaf92
SHA512757b8ec3390cea602fc651961284a2555834c585f95c062ca72fd15d0a8e26b78f58991a59f60d24175bc7f6c645f631ecb682c0b30bda998e73d77eb2bd160b