Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 23:58
Behavioral task
behavioral1
Sample
3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe
-
Size
535KB
-
MD5
3cb6a7288517a560ff1d380d8e8ebf50
-
SHA1
dda3e4cf1ee7638eb644bf5a6172b356a0aacb47
-
SHA256
a61b00289f9c9ea241546df20ef4b9740ffe672b6621db5d27ca6fa311b9488b
-
SHA512
975d33ca1c97edd6232c8ac38f473b81c711465ea5d48059af4a2d245dd5e5a00aa32d39ed7bcf9580e9575de38a002d81e5f8a50dbc8d19d07ae8c83784fb13
-
SSDEEP
12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2E:cLjQC+bs0YOE
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exegyewl.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation gyewl.exe -
Executes dropped EXE 2 IoCs
Processes:
gyewl.exepolyy.exepid process 3212 gyewl.exe 208 polyy.exe -
Processes:
resource yara_rule behavioral2/memory/5076-0-0x0000000000400000-0x000000000048B000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\gyewl.exe upx behavioral2/memory/5076-13-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral2/memory/3212-16-0x0000000000400000-0x000000000048B000-memory.dmp upx behavioral2/memory/3212-26-0x0000000000400000-0x000000000048B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exegyewl.execmd.exepolyy.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gyewl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language polyy.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
polyy.exepid process 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe 208 polyy.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exegyewl.exedescription pid process target process PID 5076 wrote to memory of 3212 5076 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe gyewl.exe PID 5076 wrote to memory of 3212 5076 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe gyewl.exe PID 5076 wrote to memory of 3212 5076 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe gyewl.exe PID 5076 wrote to memory of 4540 5076 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe cmd.exe PID 5076 wrote to memory of 4540 5076 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe cmd.exe PID 5076 wrote to memory of 4540 5076 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe cmd.exe PID 3212 wrote to memory of 208 3212 gyewl.exe polyy.exe PID 3212 wrote to memory of 208 3212 gyewl.exe polyy.exe PID 3212 wrote to memory of 208 3212 gyewl.exe polyy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\gyewl.exe"C:\Users\Admin\AppData\Local\Temp\gyewl.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\polyy.exe"C:\Users\Admin\AppData\Local\Temp\polyy.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5f3ab88fe91ac7fa730e72c91aa008dc9
SHA1f9f8f62100cb4a0c3fd56d2f2e5fd66ff10bba26
SHA2562db45ae9ccce1626f7df16c67b15deb74c16f6690fff7f5577843bf095491470
SHA5128045c1827b2c437656bd4c6fe301b3a9f5ffbd50cf320e0ef15852f38cd6b0898e2c2d2bbb67c3f52a4142e73f260247583512f08da9c1af6cf9a438767b24ec
-
Filesize
512B
MD5c484b5757f32e853976d9bfa65ce4297
SHA1071a17d0c9626d42d3ef1b154cf78c19b366efaa
SHA25689eee34262a38af181f4db87f6c4b89f89e36fbd64b75d6d4acf0810a7a8b61a
SHA5125be448758e67a77f94ea712cae261008fbeeda82129b57b235d66cf7c9f59047ce85eed416c35e78efbfa564b044c0daed074fb04cae7eed182c5c53a37ae66a
-
Filesize
535KB
MD590afcb180021eae006c7bc08ff0fb9f1
SHA1204666cdb3cf37609b0585491645c41d4a5b9cdc
SHA256ce664eb97bf7c3088688937b68e0e0124abed29f0dff0d9615abcf62ca7e55ea
SHA512bcae7263c20ba4d55db626f78ff7e6755adec7bc324f8f17c0811f5f2c76de07a984b28c8727f513315c4a23be9d0ead35ef7c7926aaa2fb361fec11a35aa8e8
-
Filesize
241KB
MD554a24a5f8d8f051adfc985c6f1d1504f
SHA1a9f07d073df389d665ff9bcde181091c29b2b356
SHA2562d48368273b25659144d32829ecdab32fd004b8370974b9e9c9176798b5415fb
SHA51293e5b64e575d1aa58e73f76593c1bdb98f1dfc2a057aea292c0d8fbddabf48aa4a1259681dddf146001114c1ef97d48cc654bbff8d39312f4e9cd204d9a18799