Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 03:58
Static task
static1
Behavioral task
behavioral1
Sample
0dce69f8f7a08fe4392ebf7c1b3433b7_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
0dce69f8f7a08fe4392ebf7c1b3433b7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0dce69f8f7a08fe4392ebf7c1b3433b7_JaffaCakes118.exe
-
Size
712KB
-
MD5
0dce69f8f7a08fe4392ebf7c1b3433b7
-
SHA1
89edc36bb972bd101c1d3f3086317cb99e7a30f9
-
SHA256
67d6ceb546460c62e80d6692320b2d47d266ab6682d51c43a7cf3d334a54f5a0
-
SHA512
02d244a2b606545c2d8ad8304f02e63f906e10c9f0b24ff0e8d2f2fc6e77690a207431a679c9dc454281d65afee188b4c413f9ffb8b17be6b24618cb26572803
-
SSDEEP
12288:fpamkOy/A87XKBtK5+oxqpnvqZExktE9wQJ2yy8lvsOqH2gOlh:fIfOyZqQlvy9wQQyH/gOL
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4228 StpAE22_TMP.EXE 4980 is-49JUF.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0dce69f8f7a08fe4392ebf7c1b3433b7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StpAE22_TMP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-49JUF.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3560 wrote to memory of 4228 3560 0dce69f8f7a08fe4392ebf7c1b3433b7_JaffaCakes118.exe 82 PID 3560 wrote to memory of 4228 3560 0dce69f8f7a08fe4392ebf7c1b3433b7_JaffaCakes118.exe 82 PID 3560 wrote to memory of 4228 3560 0dce69f8f7a08fe4392ebf7c1b3433b7_JaffaCakes118.exe 82 PID 4228 wrote to memory of 4980 4228 StpAE22_TMP.EXE 83 PID 4228 wrote to memory of 4980 4228 StpAE22_TMP.EXE 83 PID 4228 wrote to memory of 4980 4228 StpAE22_TMP.EXE 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dce69f8f7a08fe4392ebf7c1b3433b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0dce69f8f7a08fe4392ebf7c1b3433b7_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\StpAE22_TMP.EXE"C:\Users\Admin\AppData\Local\Temp\StpAE22_TMP.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\is-KIACV.tmp\is-49JUF.tmp"C:\Users\Admin\AppData\Local\Temp\is-KIACV.tmp\is-49JUF.tmp" /SL4 $601CE "C:\Users\Admin\AppData\Local\Temp\StpAE22_TMP.EXE" 443774 522243⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4980
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
664KB
MD5127b433fba029b7f26580fb31d5681fa
SHA1d65f2256808589a6ec01124e637d8fb9514feb3f
SHA25600163fafa9f5b5f81728c1a5b4d7c7210f766e039d00d61dcbf9798a47d4188f
SHA512bcebbea9cb9afb5617c715141ca3b877d9309091a80e1f7edab92a08c6bbe1739d196ed7b7e7f54abd769933b60799053abd9c3f3d56d5aaeb1188be0de79507
-
Filesize
656KB
MD54fa180886ff7c0fd86a65f760ede6318
SHA12c89c271c71531362e84ddab5d3028f0756a9281
SHA2561d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c
SHA512a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd