Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 00:57
Static task
static1
Behavioral task
behavioral1
Sample
28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe
-
Size
225KB
-
MD5
28131be3d75a7824c137edb70f1940a5
-
SHA1
0005a7be8633de2e4b0c8220317c6ac9afaf7cd4
-
SHA256
d3415b3f45c0cc0149b352f0fbeac0225a98b70a93b99682a5ea346d37f5f204
-
SHA512
ebbd4d7197f1c7267f04b9ef2efb25749f5015ac2199a08cee958a0e330b9ae9d8fd198bd5d02469e872e5ba82d291f37ed161be86c3b697fbe2495de331d74c
-
SSDEEP
3072:VTTz7E25tzKGn45kIIerkDcRQHfKlTbNUYdhofDnLNHHn7k+Mfe7qDBhkmwO9JOH:1lGC41kD61SfDLNq8O9J47
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4012 gcnyv.exe -
Loads dropped DLL 1 IoCs
pid Process 4012 gcnyv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 15 IoCs
pid pid_target Process procid_target 3368 4592 WerFault.exe 82 1936 4592 WerFault.exe 82 4740 4592 WerFault.exe 82 1700 4592 WerFault.exe 82 4488 4592 WerFault.exe 82 3248 4592 WerFault.exe 82 2740 4592 WerFault.exe 82 2732 4592 WerFault.exe 82 2408 4012 WerFault.exe 109 2452 4012 WerFault.exe 109 5076 4012 WerFault.exe 109 1696 4012 WerFault.exe 109 4028 4012 WerFault.exe 109 1960 4012 WerFault.exe 109 1272 4012 WerFault.exe 109 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gcnyv.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3752 cmd.exe 2888 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 1812 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2888 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4012 gcnyv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1812 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4012 gcnyv.exe 4012 gcnyv.exe 4012 gcnyv.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4012 gcnyv.exe 4012 gcnyv.exe 4012 gcnyv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4592 wrote to memory of 3752 4592 28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe 101 PID 4592 wrote to memory of 3752 4592 28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe 101 PID 4592 wrote to memory of 3752 4592 28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe 101 PID 3752 wrote to memory of 1812 3752 cmd.exe 105 PID 3752 wrote to memory of 1812 3752 cmd.exe 105 PID 3752 wrote to memory of 1812 3752 cmd.exe 105 PID 3752 wrote to memory of 2888 3752 cmd.exe 108 PID 3752 wrote to memory of 2888 3752 cmd.exe 108 PID 3752 wrote to memory of 2888 3752 cmd.exe 108 PID 3752 wrote to memory of 4012 3752 cmd.exe 109 PID 3752 wrote to memory of 4012 3752 cmd.exe 109 PID 3752 wrote to memory of 4012 3752 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 6482⤵
- Program crash
PID:3368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 7122⤵
- Program crash
PID:1936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 8562⤵
- Program crash
PID:4740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 8802⤵
- Program crash
PID:1700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 8682⤵
- Program crash
PID:4488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 10162⤵
- Program crash
PID:3248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 10282⤵
- Program crash
PID:2740
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 4592 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\28131be3d75a7824c137edb70f1940a5_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\gcnyv.exe -f2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 45923⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
C:\Users\Admin\AppData\Local\gcnyv.exeC:\Users\Admin\AppData\Local\gcnyv.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 8324⤵
- Program crash
PID:2408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 9004⤵
- Program crash
PID:2452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 11764⤵
- Program crash
PID:5076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 11804⤵
- Program crash
PID:1696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 11724⤵
- Program crash
PID:4028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 12084⤵
- Program crash
PID:1960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 12484⤵
- Program crash
PID:1272
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1402⤵
- Program crash
PID:2732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4592 -ip 45921⤵PID:4968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4592 -ip 45921⤵PID:2512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4592 -ip 45921⤵PID:2260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4592 -ip 45921⤵PID:5012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4592 -ip 45921⤵PID:4040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4592 -ip 45921⤵PID:2828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4592 -ip 45921⤵PID:4228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4592 -ip 45921⤵PID:2152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4012 -ip 40121⤵PID:3992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4012 -ip 40121⤵PID:2016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4012 -ip 40121⤵PID:760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4012 -ip 40121⤵PID:1736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4012 -ip 40121⤵PID:3936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4012 -ip 40121⤵PID:1072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4012 -ip 40121⤵PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD528131be3d75a7824c137edb70f1940a5
SHA10005a7be8633de2e4b0c8220317c6ac9afaf7cd4
SHA256d3415b3f45c0cc0149b352f0fbeac0225a98b70a93b99682a5ea346d37f5f204
SHA512ebbd4d7197f1c7267f04b9ef2efb25749f5015ac2199a08cee958a0e330b9ae9d8fd198bd5d02469e872e5ba82d291f37ed161be86c3b697fbe2495de331d74c