Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 01:51
Behavioral task
behavioral1
Sample
54d303b283679409adb0d34f34573b60_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
54d303b283679409adb0d34f34573b60_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
54d303b283679409adb0d34f34573b60_JaffaCakes118.exe
-
Size
52KB
-
MD5
54d303b283679409adb0d34f34573b60
-
SHA1
864feb1110af470f84827ed198fff2a9435b21f7
-
SHA256
a23f28cc3a6e1718908506e8106d74649fee66776ba9c9a1d111e1fbc700fe2a
-
SHA512
699af970ecd5fdd50b7c2ac1229b199d4b8abe77aa4c827ccd871b7888eb93919798017e9489ae50682a62dfae4b15a34431dda826783e3f7cfb0ab9dfb669f1
-
SSDEEP
1536:cCM2LNW+RfAFqkuK9crRoj+tJC3oNRsVGtLytwO:k2pW+tAGKGRoOJaoNKAS
Malware Config
Signatures
-
Renames multiple (443) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
54d303b283679409adb0d34f34573b60_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Processes:
resource yara_rule behavioral2/memory/3848-0-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3848-667-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3848-668-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3848-1395-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3848-1433-0x0000000000400000-0x0000000000479000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
Processes:
54d303b283679409adb0d34f34573b60_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\LICENSE 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Analytics.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\COPYRIGHT.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Content 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\README.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\Java\jre-1.8\bin\server\Xusage.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Analytics 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\sl.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\yo.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\release 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\ka.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\ps.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\uk.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\zh-tw.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Content 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\mk.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\README.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\CompatExceptions.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\NOTICE.TXT 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\ku-ckb.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\sr-spc.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\el.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\ja.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\ro.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\ba.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\nb.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe File created C:\Program Files\7-Zip\Lang\br.txx 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
notepad.execmd.exe54d303b283679409adb0d34f34573b60_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1584 notepad.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
54d303b283679409adb0d34f34573b60_JaffaCakes118.exedescription pid process target process PID 3848 wrote to memory of 1584 3848 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe notepad.exe PID 3848 wrote to memory of 1584 3848 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe notepad.exe PID 3848 wrote to memory of 1584 3848 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe notepad.exe PID 3848 wrote to memory of 2572 3848 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe cmd.exe PID 3848 wrote to memory of 2572 3848 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe cmd.exe PID 3848 wrote to memory of 2572 3848 54d303b283679409adb0d34f34573b60_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\README_ASAP.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\54D303~1.EXE" >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:2572
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a0bca63c8ba75cf1b7a30d0b171f474f
SHA1af8a8153d52ee5d471e7f69b2245683b441b7b7d
SHA256fdac2db3a1b1d199162e8768be32cc0c9e7161556b840c24c7e1928ac3f3f531
SHA5120d68622772132d80fda645fa7cbd45eed8cd5f876da359f4aa735c56adfca949f7b77843301d8f6da26e89ade67daa3341f2edf0d0bcde08599a362b1abdc002