Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 20:08
Behavioral task
behavioral1
Sample
41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe
-
Size
446KB
-
MD5
41d6464ffa1ec0d15308465a8187eea2
-
SHA1
9e84fd1c73f389be7f2f86bc3c76808b2d5f5ffb
-
SHA256
aadaa8a794e656859ccb247ae5dc46a66920225db288f53237d8f3b2818db76a
-
SHA512
9c09a2b7f128d179807975daa83b3c791fbb8762222fb8d29f0bac5dfc189f5f207ca0485680533f26ee3efd3668b3775486ff0a3d6cc436855222129621792f
-
SSDEEP
6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpomn:PMpASIcWYx2U6hAJQn4
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vehau.exefunewo.exe41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation vehau.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation funewo.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
vehau.exefunewo.exeseumq.exepid process 976 vehau.exe 1956 funewo.exe 2316 seumq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
funewo.exeseumq.execmd.exe41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exevehau.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language funewo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language seumq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vehau.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
seumq.exepid process 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe 2316 seumq.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exevehau.exefunewo.exedescription pid process target process PID 4764 wrote to memory of 976 4764 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe vehau.exe PID 4764 wrote to memory of 976 4764 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe vehau.exe PID 4764 wrote to memory of 976 4764 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe vehau.exe PID 4764 wrote to memory of 4492 4764 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe cmd.exe PID 4764 wrote to memory of 4492 4764 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe cmd.exe PID 4764 wrote to memory of 4492 4764 41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe cmd.exe PID 976 wrote to memory of 1956 976 vehau.exe funewo.exe PID 976 wrote to memory of 1956 976 vehau.exe funewo.exe PID 976 wrote to memory of 1956 976 vehau.exe funewo.exe PID 1956 wrote to memory of 2316 1956 funewo.exe seumq.exe PID 1956 wrote to memory of 2316 1956 funewo.exe seumq.exe PID 1956 wrote to memory of 2316 1956 funewo.exe seumq.exe PID 1956 wrote to memory of 3300 1956 funewo.exe cmd.exe PID 1956 wrote to memory of 3300 1956 funewo.exe cmd.exe PID 1956 wrote to memory of 3300 1956 funewo.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\41d6464ffa1ec0d15308465a8187eea2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\vehau.exe"C:\Users\Admin\AppData\Local\Temp\vehau.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\funewo.exe"C:\Users\Admin\AppData\Local\Temp\funewo.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\seumq.exe"C:\Users\Admin\AppData\Local\Temp\seumq.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:3300
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5ef2b73166547b3fe2fef0e29b39daa45
SHA1b08caa3a47057cd651723bfe72b77a936a7cce76
SHA256ab80161a544631984b272ae21f52017e036866ec599eb85d295ed54eea8798d6
SHA512cfa240597d2c6e3f11cab625b8b70b7eac6502764e19fa82995ada1b9631a9e64026369c73943fe08cebd16d096f6271bd03b55609b4e1b661aaf725b36292ca
-
Filesize
224B
MD5c712a9cf99dce76c14302cffe2df2af8
SHA12f8b0a922144dfeeb57699c83572a2c905312231
SHA256fedc35d98d5156a129e629f79644d2bddda7b2ac678f979b76fd42b1207d8d41
SHA5128fca0d66c06a28a4a240799642130c74b4da8a958cd3edadeacbea03a3d501edce977cb0c3785f2237f867caa2a4bfd0bf578931e87bd3814aca4cfb3a49be17
-
Filesize
447KB
MD56255360ba18ce7ac9c8491ba04bb50b3
SHA165cbd531c7ec3605ecead27db7a9ef4715267916
SHA25699e84e2275775e89dd93ecaa105c8c40b3789e8c806966fcb79755944a3f3ba2
SHA512999ccf4ee76f51c9b52030d34e62a34ad679eda648fb2361a5a1bf28937bd47039308a6170a2651d07a69747e00c500324c7b64b7156a356f1f6ebaf89bd7606
-
Filesize
512B
MD5cdf6792a15de4018eb0a5d57d5441877
SHA1a8544b3869df1389fbf14d688bc5229cb7cfdc71
SHA2561f01d1787227020114773cea640a287f82836f159931f61bfbdc68bfe9ceaa18
SHA512921173f95d427afcffe33a4e7df58beb6ad9dc16f84957add4d5126d234ad6769d8601f24acf7b3625ebfbafa23c3adb330a26ee12ca074c6110e530f2cc9c62
-
Filesize
223KB
MD5c6de1ed20163655825a4294c923f0244
SHA13d47ac1f440a7bf5e86614f0e3ade5aeacca2b42
SHA256b63e405794c2098751362e7b57a2b62ba11d68b6af739c45e44c927d1e081ff0
SHA51253c19b24d0f1a39874101c7aab0da41abdc9b0cbbd575377bb33006c6f917587feeb46358a9d59df431b507f0018633fd32df281aa33f305c07ba05e7e5cf0d6
-
Filesize
447KB
MD5e5d20c07e3ea1c02d178ca6c69215484
SHA14317a5c87046171597a9a5b55fb453d83b8df2f6
SHA2560da9e0b72e79ca28da94598f506878a2d125a9c04f8ed1700f802d95cad1d885
SHA512383c3b4802f764936d3f08d0fe9cca8c60d1fa24084d458db6806a6c81f1c92530714623dd3a282d2e65e673dbf8887cf9c30d4d77e3128438045df82712ea4e