Analysis
-
max time kernel
140s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 09:06
Static task
static1
Behavioral task
behavioral1
Sample
3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe
-
Size
229KB
-
MD5
3efa4c63013e65763a80b52bbcd8ccac
-
SHA1
a84a5c5d49ad3acef2981fcbad9d84a6b4067d64
-
SHA256
9cb80439213e283cac43d65fb328d67bfcc602d21105409eeb1dcb237f68f7ee
-
SHA512
0743f2f728fc5c02075b2d003c763b21566dbb5209b5d9ddb4d6949aa7c954ef7040234a078f87026211f6337ba905d4335ef1ca7828780a3a4913fc824047e8
-
SSDEEP
6144:j4TxtTpNugCMBaGxD/kSFu/Y6E99dXDFWXkLUU:ExfCtED6/Y6ENxLUU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4824 sxeA683.tmp -
Loads dropped DLL 2 IoCs
pid Process 4740 3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe 4740 3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sxeA683.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4740 wrote to memory of 4824 4740 3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe 84 PID 4740 wrote to memory of 4824 4740 3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe 84 PID 4740 wrote to memory of 4824 4740 3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3efa4c63013e65763a80b52bbcd8ccac_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\sxeA683.tmp"C:\Users\Admin\AppData\Local\Temp\sxeA683.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5bd815b61f9948f93aface4033fbb4423
SHA1b5391484009b39053fc8b1bba63d444969bafcfa
SHA256b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76
SHA512a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71
-
Filesize
440KB
MD571c98a68a8d72143451680aedd590753
SHA1d9be40179035621cf58e4102db1a13a967ae7107
SHA256c39aa90e37f37a7fbd6301f3a067236b783620f7d3a8e21a96a5d504db205265
SHA512c791ff977cb162e51ac56cbc959bb64286d2db06cd4293c75bd6a3279f13cae305b5e62565f4b8f4917f90dcfdd45d42d7eec94ef1a704e86caee1c4b8d923a8