Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 15:35
Behavioral task
behavioral1
Sample
3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe
-
Size
235KB
-
MD5
3acb5bb9fda51fa3ab0a140557827dfa
-
SHA1
7c4b46d51217b769cf77354efb6aa3ebfb2da8a9
-
SHA256
e6114989f8f8925c40f72aeda9791ac89effd4ff8097aea617e3d43254604245
-
SHA512
8baeda5dc629dbd9bad255f0deb26d71a29c2ffbc49d7883bc6e5e42adb59c60544b5f688f6efac0201a04f494e566cd23936d908507ff44f246ee88fc809938
-
SSDEEP
3072:K8ASpvo0LKrXEX65ezpxJ2kbJ7mv73E2o/9sY2K:ZASpvo0LKkRzpxJ2kRqroiK
Malware Config
Extracted
urelas
112.175.88.207
112.175.88.208
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
huter.exepid process 1352 huter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exehuter.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exedescription pid process target process PID 2288 wrote to memory of 1352 2288 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe huter.exe PID 2288 wrote to memory of 1352 2288 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe huter.exe PID 2288 wrote to memory of 1352 2288 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe huter.exe PID 2288 wrote to memory of 3196 2288 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe cmd.exe PID 2288 wrote to memory of 3196 2288 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe cmd.exe PID 2288 wrote to memory of 3196 2288 3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3acb5bb9fda51fa3ab0a140557827dfa_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD57295fb9368a0ef278de4b9755bf9fa1b
SHA1db5fa220d77ed7824ae0a4f822e0ce46010a5d77
SHA256dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98
SHA512dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a
-
Filesize
235KB
MD53c1baefee080fe75cf9082f87894a318
SHA16b36a08b3a8bdffba4b0b4d445ee084d5555a3b7
SHA2562b019042495a6bb8e78ce37487b7436883a69ee5c787e62c53173d34fe823c44
SHA51227c939e14c30002e7a692b5e714cb54e7a0a26ac89165628189121ca9479b665e20df71bea7486e9474a499f7064cd10ad9f0d0573f76fd107ad54d5f3d979d0
-
Filesize
302B
MD5738257222c3a75b45038af74dab702e2
SHA10000e6b5af00c950395b6d6cfff505ed8fba236c
SHA25640a19efc33e90526bd8a093845b0dff43c8a2670b121d1f1f683a180eb210da2
SHA512f2b21f6cd7a05dcb50a3bce04374d27c41182221affd385c8dba1f7ec91da51eaaf84e04ecd57d699d81cc8e84e8d1f19881e274647b9463553c38ad6dc98714