Overview
overview
7Static
static
35197601d32...18.exe
windows7-x64
75197601d32...18.exe
windows10-2004-x64
7$APPDATA/D...er.exe
windows7-x64
6$APPDATA/D...er.exe
windows10-2004-x64
3$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3$TEMP/7za.exe
windows7-x64
3$TEMP/7za.exe
windows10-2004-x64
3Analysis
-
max time kernel
141s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 09:42
Static task
static1
Behavioral task
behavioral1
Sample
5197601d3263fce60649415662ad878e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5197601d3263fce60649415662ad878e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$APPDATA/DivX_Installer.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$APPDATA/DivX_Installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$TEMP/7za.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$TEMP/7za.exe
Resource
win10v2004-20241007-en
General
-
Target
5197601d3263fce60649415662ad878e_JaffaCakes118.exe
-
Size
521KB
-
MD5
5197601d3263fce60649415662ad878e
-
SHA1
d0ed76a028aac5c25ef35e794a5f46722ed7d9d5
-
SHA256
1ecac9baae9daf7c7766ff7683570166d3be1031542475546c4db44e850dcafa
-
SHA512
b3edb5135de6e1321e780cf878801e362134852b2d22ad3ef087e14a20dccd1bf55c1c9ee2cdb6266f70d4ee430d9c14764e778c03209a501b4cbea6fdbb6a68
-
SSDEEP
12288:ibemqOid95Fl3kg7RVq8Nik6Kf6eeUgJi3HnzdeKnPkxgLOOk:ibRUdD3zXH6JeRgJi3nx5bLbk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 5197601d3263fce60649415662ad878e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DivX_Codec.exe -
Executes dropped EXE 5 IoCs
pid Process 868 DivX_Installer.exe 976 7za.exe 1624 DivX_Codec.exe 3588 DivX_Player.exe 5116 DivX_Setup.exe -
Loads dropped DLL 3 IoCs
pid Process 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 3188 rundll32.exe 3056 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uzadelubemojokes = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mfcoms.dll\",Startup" rundll32.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
resource yara_rule behavioral2/files/0x000a000000023b96-31.dat upx behavioral2/memory/1624-42-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/5116-41-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1624-58-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1780 868 WerFault.exe 85 2400 5116 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5197601d3263fce60649415662ad878e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DivX_Player.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DivX_Installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DivX_Codec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5056 cmd.exe 4472 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 5197601d3263fce60649415662ad878e_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4472 PING.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1624 DivX_Codec.exe 1624 DivX_Codec.exe 1624 DivX_Codec.exe 1624 DivX_Codec.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1624 DivX_Codec.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2280 wrote to memory of 868 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 85 PID 2280 wrote to memory of 868 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 85 PID 2280 wrote to memory of 868 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 85 PID 2280 wrote to memory of 976 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 86 PID 2280 wrote to memory of 976 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 86 PID 2280 wrote to memory of 976 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 86 PID 2280 wrote to memory of 1624 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 92 PID 2280 wrote to memory of 1624 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 92 PID 2280 wrote to memory of 1624 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 92 PID 2280 wrote to memory of 3588 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 93 PID 2280 wrote to memory of 3588 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 93 PID 2280 wrote to memory of 3588 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 93 PID 2280 wrote to memory of 5116 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 94 PID 2280 wrote to memory of 5116 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 94 PID 2280 wrote to memory of 5116 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 94 PID 3588 wrote to memory of 3188 3588 DivX_Player.exe 95 PID 3588 wrote to memory of 3188 3588 DivX_Player.exe 95 PID 3588 wrote to memory of 3188 3588 DivX_Player.exe 95 PID 2280 wrote to memory of 4684 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 97 PID 2280 wrote to memory of 4684 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 97 PID 2280 wrote to memory of 4684 2280 5197601d3263fce60649415662ad878e_JaffaCakes118.exe 97 PID 4684 wrote to memory of 4832 4684 WScript.exe 99 PID 4684 wrote to memory of 4832 4684 WScript.exe 99 PID 4684 wrote to memory of 4832 4684 WScript.exe 99 PID 4832 wrote to memory of 5056 4832 cmd.exe 101 PID 4832 wrote to memory of 5056 4832 cmd.exe 101 PID 4832 wrote to memory of 5056 4832 cmd.exe 101 PID 5056 wrote to memory of 4472 5056 cmd.exe 102 PID 5056 wrote to memory of 4472 5056 cmd.exe 102 PID 5056 wrote to memory of 4472 5056 cmd.exe 102 PID 1624 wrote to memory of 1400 1624 DivX_Codec.exe 103 PID 1624 wrote to memory of 1400 1624 DivX_Codec.exe 103 PID 1624 wrote to memory of 1400 1624 DivX_Codec.exe 103 PID 3188 wrote to memory of 3056 3188 rundll32.exe 114 PID 3188 wrote to memory of 3056 3188 rundll32.exe 114 PID 3188 wrote to memory of 3056 3188 rundll32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Roaming\DivX_Installer.exe"C:\Users\Admin\AppData\Roaming\DivX_Installer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 4923⤵
- Program crash
PID:1780
-
-
-
C:\Users\Admin\AppData\Local\Temp\7za.exe"C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\a1.7z" -aoa -oC:\Users\Admin\AppData\Local\Temp -p~@S23js@@vBz99432@t9 "" ""2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:976
-
-
C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe"C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DIVX_C~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:1400
-
-
-
C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe"C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\mfcoms.dll",Startup3⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\mfcoms.dll",iep4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3056
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe"C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe"2⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 4683⤵
- Program crash
PID:2400
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\cmd.execmd /C ping -n 1 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\PING.EXEping -n 1 localhost5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4472
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 868 -ip 8681⤵PID:4612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5116 -ip 51161⤵PID:3280
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523KB
MD5e92604e043f51c604b6d1ac3bcd3a202
SHA14154dda4a1e2a5ed14303dc3d36f448953ff6d33
SHA256fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3
SHA512ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43
-
Filesize
26KB
MD5b65d387db7875a1f5ac8aa5932b8af08
SHA1b60a08b5e573fc8fa211379471b01883e9b5fffa
SHA256640eceb1326fcf1f955436a99721893cda6fbc50ae782fa02727ad48c28c60ee
SHA512c5b9ae09c5a0684dbe9bf863a6eda7d08e27890c1d61e97cf82a4ee431dff111a58499ca9d899adb49e79697273a3fecd3c81a4c229ea9c435593c711b0a014e
-
Filesize
92KB
MD57b6bd526430c3987be1f44245aa3ec38
SHA1e271078a59640b765fba87227f7b4401e5d6b35f
SHA2567128ddfa3e765a80f592205bf300d7a3168e22acf64d4efbe7c694aca3a5e95a
SHA512afd50c61bf32bd6a09c9aefdbb5e16d6a5a11c541c9b013691cc97605f3072ad1ab101754cab3f8694d143db86b428a96048f5d21c707f9ae4783c218c87d9fc
-
Filesize
75KB
MD594fb3b4a47c149ef0ae646c379697c63
SHA1115e466d3066b1f223acd9ec3abba24f9b40db64
SHA256212dde65e0b60c4518e0aa90dd3c2a7267e75b3227f550b3d56233fe500c3832
SHA5128f7df0814f6e8280efd34516171c1c293cfff6adf6f581ea0061645e8ef28cdd645c6452274d5902140ef06763bdadd0a1a2139fbc91f82f041e54a6baa6ac78
-
Filesize
135KB
MD50efc8c3587e3a4c9e5296628942445e4
SHA107f84a00303ca1c0611146c979489056159db29a
SHA25694edff236294e85cba575e3983b9be804d52265ba895b6b785f151c123749572
SHA51204a19f9d3dd0b33050dcf984c776ab490001686f094277c7c15834e0ecf0af3073bca4e8f626d8a39292631970013f818ce38c5880dfad287cbdd0d2ba165f9b
-
Filesize
415B
MD51a575dbe09ffd4493104d127c80a0db7
SHA1004f702b4e4aea196a94ce50d440e4a9f3055b76
SHA256aac4342578fb155c7531e981e33a1e423b8ed7e2abb979a0b8a0711e5413648c
SHA51216d47279e9544b51242b548018495c33792a0f902b15131f95e024c24b41b38f02705a80e6a94f0916064bf3020234bb07b7bb8a74f700763febe6f54b964b97
-
Filesize
129B
MD5e8d125eecfd718eb049687bc0bfe2252
SHA17be3dbb4578a9dfb836d8b420be7f54dfda0e332
SHA256ff389a2d72dad44c1173e0846a45f203a36702b2425ab879d26f002a4e786cac
SHA512bcfbd08de6075f57e18fb7048c23e770c6b86e00ee1f723d2e5f0fd248fe884c30e2e29208cc5229e4873245cec5a8bfad03dd9d4cc1a5e980f0b1029f7a624d
-
Filesize
5KB
MD5a7cd6206240484c8436c66afb12bdfbf
SHA10bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919
SHA25669ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926
SHA512b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904
-
Filesize
92KB
MD5969e89dc4a97415805530b6717bc8f51
SHA1d46cedb74ecfc6eab0b089d0639263f97eeef618
SHA256b96665f4e65f014fbe43d2496273f6addf9a5ae799508ee2214ed5ba30180291
SHA5127fda06061c302a17c1129f08bd6a4d02e9217e18c67fa70b72a4d07fa5aa5505ef7cb29138d2f8630ae9d1ff43e36cf2698a0b1fcbc8d7af5c49f4b7640b5054
-
Filesize
123KB
MD5c5fac72a6adb2183930a3e4ae9918a5f
SHA1a3a60097d6312bed4fcda4fa6c4ecd86c140da19
SHA256c27fd98bcf7260783b3b08776a3bbf93576c2e57bf386fa33e02220463496eaf
SHA51270eb0795169781d0e38d023c46e03c9bf2b121c489720a818a0a49a24582310c799b129bcfe412f6c57dac41f0ba43a3feca51cf81f731651cefa0c6391fa47a