Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 00:50
Static task
static1
Behavioral task
behavioral1
Sample
27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe
-
Size
132KB
-
MD5
27fcf2b5cea97e7f0b46efc56c4e51d3
-
SHA1
3ed676010997f7b0784c3969a5e625ab8460fecc
-
SHA256
e60164d938a58fb1cb736cd395dfa9c7db0126d4f3c326c48fe47372c9151f41
-
SHA512
ba81363c7db6a5e84745702c7cb11d2273aab352110e6a09c12ffa102b27f0f80e2170881cdc869e7c7d7d132999e540c98332317205e1edbdeed755849f6660
-
SSDEEP
1536:5TvlubSHe/jHLsh6LctKWH0gEtWTE/rli5Z1nWvjI4TWRtss+cfWAY+/Vb2XmzfH:5cbFvLctKWAW8AB8baRts4WNg2Xmav
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4404 taskhost.exe 3936 taskhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\taskhost.exe" taskhost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4260 set thread context of 4004 4260 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe 84 PID 4404 set thread context of 3936 4404 taskhost.exe 88 -
Program crash 2 IoCs
pid pid_target Process procid_target 4728 4260 WerFault.exe 82 4536 4404 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4260 wrote to memory of 4004 4260 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe 84 PID 4260 wrote to memory of 4004 4260 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe 84 PID 4260 wrote to memory of 4004 4260 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe 84 PID 4260 wrote to memory of 4004 4260 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe 84 PID 4260 wrote to memory of 4004 4260 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe 84 PID 4004 wrote to memory of 4404 4004 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe 87 PID 4004 wrote to memory of 4404 4004 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe 87 PID 4004 wrote to memory of 4404 4004 27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe 87 PID 4404 wrote to memory of 3936 4404 taskhost.exe 88 PID 4404 wrote to memory of 3936 4404 taskhost.exe 88 PID 4404 wrote to memory of 3936 4404 taskhost.exe 88 PID 4404 wrote to memory of 3936 4404 taskhost.exe 88 PID 4404 wrote to memory of 3936 4404 taskhost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\27fcf2b5cea97e7f0b46efc56c4e51d3_JaffaCakes118.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exeC:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exeC:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 2564⤵
- Program crash
PID:4536
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 3042⤵
- Program crash
PID:4728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4260 -ip 42601⤵PID:3648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4404 -ip 44041⤵PID:1876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD52da321ee2d987b5219b158a60d299398
SHA1cde2d2937299dc5c177b183bd5c531695f90c215
SHA256e7d9b93225ad64f3381a8c9a8e55e163a4e5bcf2221335ddfccdc6eb7cea8a46
SHA512c478bec8a77dc012c404056150f727f34d9d88d3734cad914419eb9895d9ba0443dee38f844cc98108a9bb167a01569c3d7dd9f9d13976c05d633979b43098b3