Analysis
-
max time kernel
148s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 18:07
Behavioral task
behavioral1
Sample
4150869444302f78451b1d4834933554_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
4150869444302f78451b1d4834933554_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
4150869444302f78451b1d4834933554
-
SHA1
7767ed14ff5aa6d9554665ac52994bdfb90b6dd9
-
SHA256
ff7d56c1a7efc795cbd031c054dedfe8fa354a370b212a8a8e10be62d263cad0
-
SHA512
4a4dba2b633b6902bfd07a56679c2d97123b56431aecbd97edfb8b49c42f2789e05a04aaeb9abf03381ff1349f08ac456bfb82276065fe4fdc6c9f152694b437
-
SSDEEP
12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YN:tcykpY5852j6aJGl5cqBA
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4150869444302f78451b1d4834933554_JaffaCakes118.exegyyxz.exexupeci.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 4150869444302f78451b1d4834933554_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation gyyxz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation xupeci.exe -
Executes dropped EXE 3 IoCs
Processes:
gyyxz.exexupeci.exeibsum.exepid process 1796 gyyxz.exe 4524 xupeci.exe 4996 ibsum.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ibsum.exe upx behavioral2/memory/4996-40-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/4996-44-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ibsum.execmd.exe4150869444302f78451b1d4834933554_JaffaCakes118.exegyyxz.execmd.exexupeci.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibsum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4150869444302f78451b1d4834933554_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gyyxz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xupeci.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ibsum.exepid process 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe 4996 ibsum.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4150869444302f78451b1d4834933554_JaffaCakes118.exegyyxz.exexupeci.exedescription pid process target process PID 4576 wrote to memory of 1796 4576 4150869444302f78451b1d4834933554_JaffaCakes118.exe gyyxz.exe PID 4576 wrote to memory of 1796 4576 4150869444302f78451b1d4834933554_JaffaCakes118.exe gyyxz.exe PID 4576 wrote to memory of 1796 4576 4150869444302f78451b1d4834933554_JaffaCakes118.exe gyyxz.exe PID 4576 wrote to memory of 1060 4576 4150869444302f78451b1d4834933554_JaffaCakes118.exe cmd.exe PID 4576 wrote to memory of 1060 4576 4150869444302f78451b1d4834933554_JaffaCakes118.exe cmd.exe PID 4576 wrote to memory of 1060 4576 4150869444302f78451b1d4834933554_JaffaCakes118.exe cmd.exe PID 1796 wrote to memory of 4524 1796 gyyxz.exe xupeci.exe PID 1796 wrote to memory of 4524 1796 gyyxz.exe xupeci.exe PID 1796 wrote to memory of 4524 1796 gyyxz.exe xupeci.exe PID 4524 wrote to memory of 4996 4524 xupeci.exe ibsum.exe PID 4524 wrote to memory of 4996 4524 xupeci.exe ibsum.exe PID 4524 wrote to memory of 4996 4524 xupeci.exe ibsum.exe PID 4524 wrote to memory of 1376 4524 xupeci.exe cmd.exe PID 4524 wrote to memory of 1376 4524 xupeci.exe cmd.exe PID 4524 wrote to memory of 1376 4524 xupeci.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4150869444302f78451b1d4834933554_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4150869444302f78451b1d4834933554_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\gyyxz.exe"C:\Users\Admin\AppData\Local\Temp\gyyxz.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\xupeci.exe"C:\Users\Admin\AppData\Local\Temp\xupeci.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\ibsum.exe"C:\Users\Admin\AppData\Local\Temp\ibsum.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1376
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5a4e89c7ca30b163217150fd27585d12f
SHA10efd30bf1bd473ca2ac1ece031306bf54728d0b1
SHA256bb5bf02f351c90535f61a12a9718cd59dfae8c11485d9410a328fd3ab729b3b3
SHA5129a41cdb2c7c68216f9a69bdeae187724bb9928e1485e2b2d07426f1d659860f6dc27e1d81483d89c739d4a445be913cb108e85d0ef046318c18a5bd2e7ebfe32
-
Filesize
224B
MD5c305e2764c099cae14b0d3cff83f73c0
SHA1cc6b54280b2048160b8345c35419a6072056461d
SHA256cf8fc8f48cf0a4546ac3e391795184c9eae7810581d1319341a60aa806b18515
SHA512316acb4ca497a55715f32a416291586fcc63d38ae8560be135d71719a7d116443f2789dd5f7fc16cff35b47507f75e0131e5722ae70f97bc28d167d1322ef3c2
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5108d0b0fd052c85992c8db84515a268b
SHA129992ff6d7847766f3063c6ad7802fb15d140a16
SHA2566f7226d240878b4fdf7a6d9e51f31ca7f987b59e6b4f38c5af498ff04688be24
SHA512045c2cfad54c478b5181bc3d73c45a3de25291520f5627c6563b7fdc4e01e47bca2af18cc5af7760a557b5a584c7557a8f94d0d960a7745367596fd8800c88ef
-
Filesize
1.1MB
MD5c12384fbc2d08af0d4e8ee73a0621b13
SHA1dedc1067566a21abae738c07542f4f2816dd4774
SHA2561c9523e52b475f24cc004cc80cc9a966693db25ec0ec339dcc77a0f577defd60
SHA512d4a48828dde2db846cc04ece6a785db6d1d2903743cda228af34a322b14f1fbaec9000c5f26172f53482049d32c6779dd9aef7e4384bdf0de292a4c67fb4bd6c
-
Filesize
459KB
MD53b35dc0c69c595b1bba6a6aca3da22d9
SHA1977b8bdd0ff8d2bdd3aeca235005917170df9b0e
SHA256e5ad9dba9d9d9a9334f6e3bc7d3c8cc3f1fe0a5c954e4dc9e15db707d3198e2e
SHA512161056d401d79d97538da5abe0be3fc6887ecfe08de48dc2a755d46bb67743da58866b270ed5de8f5b44d1e9b70387f3d87efe2a509f21bd18fd14ce2bd6d871