Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 22:48
Behavioral task
behavioral1
Sample
373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe
-
Size
782KB
-
MD5
373212a60a8702b87c205cf0179d423d
-
SHA1
47bc8210c282aa1faba6e423154504d8e28a48e6
-
SHA256
32c32ba223885385007dea2bb1904096b4dbf7dd6de2d4d816e3d600bb960cbe
-
SHA512
cba825c1739ed9fceb2a3dd983e159549cfa10ed4f67c183d5eb6d36b403d032b005fdf3ebc897db33e12e049f2941fc84072c4de7ac0dbaeca33ea8cae0a1cd
-
SSDEEP
12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1h:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8A
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
373212a60a8702b87c205cf0179d423d_JaffaCakes118.exelalup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation lalup.exe -
Executes dropped EXE 2 IoCs
Processes:
lalup.exehiydm.exepid process 3092 lalup.exe 1528 hiydm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exehiydm.exe373212a60a8702b87c205cf0179d423d_JaffaCakes118.exelalup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hiydm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lalup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
hiydm.exepid process 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe 1528 hiydm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hiydm.exedescription pid process Token: 33 1528 hiydm.exe Token: SeIncBasePriorityPrivilege 1528 hiydm.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
373212a60a8702b87c205cf0179d423d_JaffaCakes118.exelalup.exedescription pid process target process PID 2608 wrote to memory of 3092 2608 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe lalup.exe PID 2608 wrote to memory of 3092 2608 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe lalup.exe PID 2608 wrote to memory of 3092 2608 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe lalup.exe PID 2608 wrote to memory of 764 2608 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe cmd.exe PID 2608 wrote to memory of 764 2608 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe cmd.exe PID 2608 wrote to memory of 764 2608 373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe cmd.exe PID 3092 wrote to memory of 1528 3092 lalup.exe hiydm.exe PID 3092 wrote to memory of 1528 3092 lalup.exe hiydm.exe PID 3092 wrote to memory of 1528 3092 lalup.exe hiydm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\lalup.exe"C:\Users\Admin\AppData\Local\Temp\lalup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\hiydm.exe"C:\Users\Admin\AppData\Local\Temp\hiydm.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD59e1b9b2ae3f5753a19953a29c9068a4a
SHA115d49110d07d55455262ee187f5e69f258bbcf5a
SHA2565cf8853f308c6a39871a5a9a9d6eb32e904a401de7ab4adef58be92b6c085507
SHA512e1b1b722ce035d7ca761e05871409ea2021cc9b6618a752103e49fbbdc6eab395e887a63f1ba556a01062ac9e457e286996aa7b4c57069f15fc721e7df485937
-
Filesize
512B
MD50ebbc74a72a0dc587cbcb3eadca93b71
SHA10c6ecb9d679fed33e5c612fe9e480846986860f0
SHA25663e97c420a8068bfe1f598612f1b32df22024684509ac159c90ed54382dfaedf
SHA5121585007a397f003191cc961cbffd1a332720d60a0e9a8af63b8143407afab26598e43341845f7d92f3692fb1d90ba199ca320a4451a4f9ff10385a03f14bf847
-
Filesize
156KB
MD5fd98ca9c6ddd8da79878490f828c6e17
SHA1f9c0f051abb5a441d55f6caf2ce1ea3ee8cb789d
SHA256ea4b738efa276773f0e2001adb17912b92e4da33829f1d4fb4034b40194ba236
SHA5122295e47e8c70cd73d5728d4e9ec4c5803dd5d1859c2a1faa1bb75aea6db17328bfe7512a3c069a8f17bf3db7316f5d5d380e4902b131a0f832f93b99f079cc79
-
Filesize
782KB
MD5a257946c23b0c93ac4549b3344f41660
SHA109ccb84ddd2492904d767d7bbb339c6fe9758db7
SHA25661d8add624146599188ed72bf8c9a744fb954a78425aa76b49d949d016561b00
SHA5129f6eae5e07fb04cdaf9de7a0f105a9bf745427d80f2fd3f08d3ac1c6f03e28c993dccf2319cd9dcd8aaf8337c3b44f6d5724fb57ca9be64474bea3610fb8289b