Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 06:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe
-
Size
288KB
-
MD5
169dcb0a9c96559067317b8de65687fe
-
SHA1
1528dc67122869d8ba85ac4fbdd3467359aa7654
-
SHA256
8ebafe4eaf4e812f1ededafd0260d438727c7b127748aba00cd4c6e5c241652e
-
SHA512
5243ac7bf702438f92bfd343fdf9d95d153f7dff4211b943f654f19209eea8d5a6e81f00bb7b13c5d783076e612e990b3b2468ea5d84141116bbaf6edeff9343
-
SSDEEP
1536:bopXMphhl/dKxHZ+u+SXq/fiTvlATmeX4Z4R4H4i4/o9FKs0z2xoetEPnyexeyZU:7BVww7ucz9/tBH3H3e
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gbwoet.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2864 gbwoet.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gbwoet = "C:\\Users\\Admin\\gbwoet.exe" gbwoet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gbwoet.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe 2864 gbwoet.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3944 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe 2864 gbwoet.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 2864 3944 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe 82 PID 3944 wrote to memory of 2864 3944 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe 82 PID 3944 wrote to memory of 2864 3944 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe 82 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80 PID 2864 wrote to memory of 3944 2864 gbwoet.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\gbwoet.exe"C:\Users\Admin\gbwoet.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5579bcd9086c579e574ec2d4b7d1956d0
SHA1d48d9711c54590bc25a0b1237602a173889df935
SHA256a82ec073ee0a7b4b8871a08697f4791e90f95d7ffd3eea256ec50b1da31c2e44
SHA512f4a573137ad1ab8cc93de519c4e22eeaae9e92796ea0e500ed38d65ff52265e246e86d5ce3f61963ad2177394e35682b77b3748622d2455669a626598aca5e88