Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe
-
Size
14KB
-
MD5
561d055cc6c0da0756a01748ce967058
-
SHA1
8303f42074385c1a54302b4a785c90953b7250cc
-
SHA256
ac1f4f128ad130f141e12d109b3e3d9394982611630987818bc19b5a0a2ce7fd
-
SHA512
44e3b821fb1005865036b3f9d1c418c6c016ec09fde394c725706ce7d96fbe3625190177eae784561198a772c05821a31ec7f34f6be059a3d112481e4e98ead1
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4bCl:hDXWipuE+K3/SSHgxm0O
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DEMB0B2.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DEM71F.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DEM5D3E.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DEMB38C.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DEM9AB.exe -
Executes dropped EXE 6 IoCs
pid Process 3012 DEMB0B2.exe 2152 DEM71F.exe 1596 DEM5D3E.exe 2552 DEMB38C.exe 3668 DEM9AB.exe 4788 DEM5FE9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB0B2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM71F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM5D3E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB38C.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM9AB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM5FE9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 392 wrote to memory of 3012 392 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe 95 PID 392 wrote to memory of 3012 392 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe 95 PID 392 wrote to memory of 3012 392 561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe 95 PID 3012 wrote to memory of 2152 3012 DEMB0B2.exe 101 PID 3012 wrote to memory of 2152 3012 DEMB0B2.exe 101 PID 3012 wrote to memory of 2152 3012 DEMB0B2.exe 101 PID 2152 wrote to memory of 1596 2152 DEM71F.exe 104 PID 2152 wrote to memory of 1596 2152 DEM71F.exe 104 PID 2152 wrote to memory of 1596 2152 DEM71F.exe 104 PID 1596 wrote to memory of 2552 1596 DEM5D3E.exe 106 PID 1596 wrote to memory of 2552 1596 DEM5D3E.exe 106 PID 1596 wrote to memory of 2552 1596 DEM5D3E.exe 106 PID 2552 wrote to memory of 3668 2552 DEMB38C.exe 115 PID 2552 wrote to memory of 3668 2552 DEMB38C.exe 115 PID 2552 wrote to memory of 3668 2552 DEMB38C.exe 115 PID 3668 wrote to memory of 4788 3668 DEM9AB.exe 117 PID 3668 wrote to memory of 4788 3668 DEM9AB.exe 117 PID 3668 wrote to memory of 4788 3668 DEM9AB.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\561d055cc6c0da0756a01748ce967058_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\DEMB0B2.exe"C:\Users\Admin\AppData\Local\Temp\DEMB0B2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\DEM71F.exe"C:\Users\Admin\AppData\Local\Temp\DEM71F.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\DEM5D3E.exe"C:\Users\Admin\AppData\Local\Temp\DEM5D3E.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\DEMB38C.exe"C:\Users\Admin\AppData\Local\Temp\DEMB38C.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\DEM9AB.exe"C:\Users\Admin\AppData\Local\Temp\DEM9AB.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\DEM5FE9.exe"C:\Users\Admin\AppData\Local\Temp\DEM5FE9.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4788
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5ae4b5e930459af60510eac362dac4efa
SHA1eadfdb63db1290d63e340298f42928f1c4425fcc
SHA256e9a6545b90184f1625d4a3fa77c852d75af7712e693c5ada65fb1df0c4b33822
SHA512f1f5b5280c634fe80557ec0b706b5b7a1a2b8af2bc2712671c60fef67505db7c0f3ac5c175339291f97b971129d36aee2a0d113deec70bac79d94d9ab2210598
-
Filesize
15KB
MD571db0406d1dfc69f693dfeabca247f29
SHA152be8e4f7e3fb6fcb758650dbf1ebc46559e442e
SHA2560ae5d548e2cc0fbe321cd1609e88294149c4a356889ddfcd0084daf10d07df53
SHA512df15a2b50fad7582177aa5a73ecbcb3d66e300db0b5d9fc737d5e1af302143d1c149ab5e9243a9cc7ba2cb001a3670f58eeb7659c3ad721a0523256d4b0f0d5a
-
Filesize
14KB
MD593cd39db2b409981a33177c9daa2a240
SHA125f6d4236f25f47cdee1bb513206d5f5edb6c17b
SHA2560e9e398769a63fc16c356bdaca995ab1158ae69586703422a0a588154ddac957
SHA512847c8087849b83b33b6a5ec0aaa1ee7e3e7153364a16d9ded20b33336d1f2ab7cb98335af20b40c143a7a77be9d0776674b22e319335f01e503fb70888ae4ed9
-
Filesize
14KB
MD5460b6471a5c39b3581dc37802e59eb4b
SHA1b33a27929847cd04a6b55dd5beec56d6747dbe16
SHA256bc5705add8025fdc62fb250e70bfba7c6a90c6c79205548dedf42ff53fb2979b
SHA51286fdb2b74e46505c4d7550ace2f0bf6c537eacb1d575929033bb471d35e43f625979d80bf5e72b73c58a22a027ebbba9934f9d062047efd139e3e42b64c0467f
-
Filesize
14KB
MD5c926a195c1448fbc543bb46f03f27710
SHA10bd9277da2b06c18c16e0fae796fa904e14e2cd9
SHA25604de75819d68b3deb9ee80f72aee78d1589cdce8c59ea7c0043c266b25071e7a
SHA5129f379e36b6034d8ea9733ce5711c32a462643780802a60ba476a3329589bd9d44cc91f322e27c9ec4886066d757ab58d8717c100caabfd30fc16308335f5dcdb
-
Filesize
14KB
MD5c1e7ae9cc2ed0e7abe1681b8326e0548
SHA1cfc6a0f2ae2e293534b72a4f25561bf071b9537e
SHA25664ccfcff79e896e5bdfde68866ff11695802921224f8087cefdbca4a141f172f
SHA512f79411bd87e02c5d65696d5e2bf0114eeb5ad27006968fb1e92a2959856b0d611f414d1c86685e64718957a9cd621e0ad3b1e9abc8fe54f1e6cd165779fc502c