Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
2b45d306748783877e2f062672373e6d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2b45d306748783877e2f062672373e6d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2b45d306748783877e2f062672373e6d_JaffaCakes118.exe
-
Size
14KB
-
MD5
2b45d306748783877e2f062672373e6d
-
SHA1
f53e55804eee1806514078c92b0693e5e710b10d
-
SHA256
5e6ab6edfa5faa86458d5f92fdd3f70f5ca34643ecc8a77f6cdbc007cf2162b0
-
SHA512
7c19aacbd64d2d57900d7f2c54949aab88e670affa26e8f84276738dd9d91d0e917e269b3fcbe581064eef0311948ea51437d91e069a9d6f8cb2307b7b3f1c80
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhf:hDXWipuE+K3/SSHgxh
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation DEMB13F.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation DEM819.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation DEM5E57.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation DEMB4E4.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation DEMB41.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 2b45d306748783877e2f062672373e6d_JaffaCakes118.exe -
Executes dropped EXE 6 IoCs
pid Process 3620 DEMB13F.exe 1056 DEM819.exe 2244 DEM5E57.exe 4976 DEMB4E4.exe 1816 DEMB41.exe 1112 DEM6160.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM6160.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b45d306748783877e2f062672373e6d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB13F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM819.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM5E57.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB4E4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB41.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4812 wrote to memory of 3620 4812 2b45d306748783877e2f062672373e6d_JaffaCakes118.exe 87 PID 4812 wrote to memory of 3620 4812 2b45d306748783877e2f062672373e6d_JaffaCakes118.exe 87 PID 4812 wrote to memory of 3620 4812 2b45d306748783877e2f062672373e6d_JaffaCakes118.exe 87 PID 3620 wrote to memory of 1056 3620 DEMB13F.exe 94 PID 3620 wrote to memory of 1056 3620 DEMB13F.exe 94 PID 3620 wrote to memory of 1056 3620 DEMB13F.exe 94 PID 1056 wrote to memory of 2244 1056 DEM819.exe 97 PID 1056 wrote to memory of 2244 1056 DEM819.exe 97 PID 1056 wrote to memory of 2244 1056 DEM819.exe 97 PID 2244 wrote to memory of 4976 2244 DEM5E57.exe 99 PID 2244 wrote to memory of 4976 2244 DEM5E57.exe 99 PID 2244 wrote to memory of 4976 2244 DEM5E57.exe 99 PID 4976 wrote to memory of 1816 4976 DEMB4E4.exe 101 PID 4976 wrote to memory of 1816 4976 DEMB4E4.exe 101 PID 4976 wrote to memory of 1816 4976 DEMB4E4.exe 101 PID 1816 wrote to memory of 1112 1816 DEMB41.exe 104 PID 1816 wrote to memory of 1112 1816 DEMB41.exe 104 PID 1816 wrote to memory of 1112 1816 DEMB41.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b45d306748783877e2f062672373e6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b45d306748783877e2f062672373e6d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\DEMB13F.exe"C:\Users\Admin\AppData\Local\Temp\DEMB13F.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\DEM819.exe"C:\Users\Admin\AppData\Local\Temp\DEM819.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\DEM5E57.exe"C:\Users\Admin\AppData\Local\Temp\DEM5E57.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\DEMB4E4.exe"C:\Users\Admin\AppData\Local\Temp\DEMB4E4.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\DEMB41.exe"C:\Users\Admin\AppData\Local\Temp\DEMB41.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\DEM6160.exe"C:\Users\Admin\AppData\Local\Temp\DEM6160.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1112
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5225289150b558f140bf3efc858c02b8b
SHA1ee175ca9472f1709fb80c9c6f74ebf6f063d408c
SHA2563576ea052e124c9b3a3b2f067e9383ee2076b3b7f8c9d19b81df6ffe88583cc3
SHA5123cd3a7a60402e8502a88e79130fdf1c1b7f854e652e1bd7cedfcc04193ce166d1c6b76442eacc018b5b23e3e2a13a2ca2496e83515d33cc3185a9029f4dabb2f
-
Filesize
14KB
MD53e4a043089525b2eccccf9558dfe5b3a
SHA1ad18d5a838cffda086cb9b9189d709655f54f7e7
SHA256e4d4a452215bebd7b67907c14a860a7795b281fbce742bb165f8a781b89e32da
SHA512455adc1dcd036776f49f47c7b42da72e7a48f4b705403fc70326f49c4178563d42f8ede0aa084cc81e8e6960dc2fad1746f1e7a54f6ce7fec6a06b970f045e30
-
Filesize
14KB
MD560a9d40a9605618a8b8de581146b838a
SHA11d9eda648313b3360cf85c3f8659674938187d5b
SHA256a2af62c235ebbe1eb09eb2572953f19ed116081617c34b900ac8796c8592ccef
SHA512db31ccbd3bcbdcf70875d40ebff5ba880927aba5f9f81e74ee848ef764c2e524edf95ebe05fe2223cb40b83aa05fa0e345cdf1f0901c6334ffb8a8dd62ea1948
-
Filesize
14KB
MD57700b012f253a8f2773b56471307dc85
SHA1e99e462c5bfd358a70f6fd8d0ad0843111b1a40c
SHA2567e0c1b77bcdd8095501ba42f6a8a82d21c2b9b41f964a6fb75512b707eb45721
SHA512f8af891a13380d8ec349714802b06a72cdff9e200ca6168cca99f64b4f821a92c8764fb5921a953730a7a31760d574ee6eef9a6fe8e5c595ae7ff2c00f90b6e9
-
Filesize
14KB
MD589019761ae3691decbb83bf16bb6e04e
SHA1f5ed926556eb1c8eb35a9616f0f6946deea998f8
SHA2565e735315b4e7496dcc497463878744c8650b6b9565c43d2f1eb94b3c947b89d2
SHA512d59970524fc7b18935f3ce1e722d71b1e583c2510ee134f0a95e1d7ddfc1a8edcac1075772e02382eb02359275760be8fe1c07ee5aea3a3ab5dc215f49ca8fdc
-
Filesize
14KB
MD52943f01e0767178696479217f40a99d0
SHA15397ede3ce28fd3af134d693b45c2cae1c2c7862
SHA25640a0a72cfcb9b217beb66708017089d82d21d939520ac2f211bfd710359f4481
SHA51243fe64029ff273ef01e8b8e5c13c90f92d9449465fcfae2456df1b4d68b30a725a6af378cbe0b6fa7ed45532c099fe5d01730ecc64ef94c4318cb08caa2baf06