Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 14:45
Static task
static1
Behavioral task
behavioral1
Sample
0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe
-
Size
6.7MB
-
MD5
0b3129ec9cb34319c157c23e0b36f8f7
-
SHA1
c0c83f99ef27a322e8f0d480a994c475fd75daae
-
SHA256
9f89f4a5c89dbbaf63a637297270cd250206a41ecaf951838a7ca8bf80a4ff7f
-
SHA512
1238dcb2fbc78e5ee6158c705cc31100d353dcc1723760639c3fcbb5d56125e12ba0147d53db59f5435102b83d96ca7192c5bffede332c6656192d5e79a8a841
-
SSDEEP
196608:rJzEJEWcue+zXnEm1T4/t6279Bdf79eQuGYKaclcqr:1aEWcu7FTN2R7cQ/YK7cY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation asc-setup.tmp -
Executes dropped EXE 3 IoCs
pid Process 3892 asc-setup.exe 1300 asc-setup.tmp 4732 Aup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asc-setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asc-setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aup.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe 4732 Aup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 640 wrote to memory of 3892 640 0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe 82 PID 640 wrote to memory of 3892 640 0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe 82 PID 640 wrote to memory of 3892 640 0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe 82 PID 3892 wrote to memory of 1300 3892 asc-setup.exe 83 PID 3892 wrote to memory of 1300 3892 asc-setup.exe 83 PID 3892 wrote to memory of 1300 3892 asc-setup.exe 83 PID 1300 wrote to memory of 4732 1300 asc-setup.tmp 84 PID 1300 wrote to memory of 4732 1300 asc-setup.tmp 84 PID 1300 wrote to memory of 4732 1300 asc-setup.tmp 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0b3129ec9cb34319c157c23e0b36f8f7_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\nsjAAF6.tmp\asc-setup.exeC:\Users\Admin\AppData\Local\Temp\nsjAAF6.tmp\asc-setup.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\is-PQE5R.tmp\asc-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-PQE5R.tmp\asc-setup.tmp" /SL5="$A0052,6465748,158720,C:\Users\Admin\AppData\Local\Temp\nsjAAF6.tmp\asc-setup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\is-JRR5P.tmp\Aup.exe"C:\Users\Admin\AppData\Local\Temp\is-JRR5P.tmp\Aup.exe" /upgrade4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4732
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD51d227476fa73d6d1ad23467c25fe036a
SHA13f2d40e4ef5d5c9cdc989e894ad71cdbaf1de3aa
SHA256d2047d9d932fe48daf99ccf54323a236b16e881c74830d0d6c66ec0cd6614299
SHA512f59da9bd09280f20e9cac75d70f81c286f5f9de1c2c155cc49cdde7415faef5e929e70da15cd8d16ab6d67ae400f0e8b1a8990b0108887e9b2077a369e11f985
-
Filesize
1.1MB
MD572a7ba5e9cc4e5e7b583735a83220712
SHA108c89a2d5c8c875b44e87a52659617879b8cc25d
SHA2566fa7dfa86eb9eb7aadb851b0eee1ad3a6fde701e80b3fd4e838638f9df2f648a
SHA51297a1bc0bbea270a99709ce82bd3bce2ec0b2b7120fae3d9315969abfeddf0ef6d9cf22befd165c4cd2022d837f8ce03616ee17b9080e294e4bef67e0aaabe6c4
-
Filesize
6.7MB
MD5d90ea525c94bc94bd0c65d366b6d61d9
SHA1cf5cef61a6317fa4fdffb6732631c3dc9fdfb76a
SHA2565e02992ab6c4424d3cbfec4ea51364ab3945264411e83ed1ead52967cfeb6c29
SHA512eb7baf21d162d5096c7e959adf4bcf5df4c9ffa08107e9c44d8a6c5961fa738a9bc427af972543c7606b74bc7d74ef314122fbbb2d17121e3d3a2d5d0e1e0b0e