Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe
-
Size
117KB
-
MD5
083b315b61405053b6431e91f25ba4fb
-
SHA1
423ecbeb7402129d34ba7abd39a45ff51882d721
-
SHA256
39ce77765b5120f1b53faebb740d2725903f9551a6868532be717cc5a235bcd4
-
SHA512
1d7fe3e525b3e30cd59e7189cb0060750bf9bf66326d7f51b2e8409da199d535044592dee4a57e137697359b0839894716bfa708d94f5270c64b8b98381c3e48
-
SSDEEP
3072:Qxvmpm2yKept6op+s+5fTRaqym0WkJificeFaL:IKep1Iss4qGR0fipFa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4828 Cfumea.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Cfumea.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Cfumea.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe File created C:\Windows\Cfumea.exe 083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe File opened for modification C:\Windows\Cfumea.exe 083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfumea.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main Cfumea.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\International Cfumea.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe 4828 Cfumea.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1612 wrote to memory of 4828 1612 083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe 82 PID 1612 wrote to memory of 4828 1612 083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe 82 PID 1612 wrote to memory of 4828 1612 083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\083b315b61405053b6431e91f25ba4fb_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\Cfumea.exeC:\Windows\Cfumea.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:4828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD5083b315b61405053b6431e91f25ba4fb
SHA1423ecbeb7402129d34ba7abd39a45ff51882d721
SHA25639ce77765b5120f1b53faebb740d2725903f9551a6868532be717cc5a235bcd4
SHA5121d7fe3e525b3e30cd59e7189cb0060750bf9bf66326d7f51b2e8409da199d535044592dee4a57e137697359b0839894716bfa708d94f5270c64b8b98381c3e48
-
Filesize
390B
MD5beee761368a6620a789d1da0dea32a5f
SHA16cac0b5b2a3c1dc8090c2b808a40ddbd1cd71bc3
SHA2565374442d7bfe22bbc5f8463182b49eec8c9910b26bb5b27b661207d6477e2ca2
SHA51217ea18de6eb0b4cd7a77745c47799791754cea9da0b8957b1f32262122ed4db5742d1d90d12a9a2a7d14d8b9605e36bce8dbba408c9992a33c74d78cd3c57312