Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe
-
Size
924KB
-
MD5
6db54668b8e6b8bae2796c3d10d5fcb1
-
SHA1
b3dd071fe15c2ce3a7706d21309eeb98c21fef55
-
SHA256
e337849f207f3294d7a4f1141f81aadca78d26a25944759fa73bc378464b6a67
-
SHA512
bdb2b2320b713663acefa11e8ef225a7312d5735470d94abd8a3361c4eb226ec7c1619f050261fcceb59b8c04b16aac0880f5ba7d79420561ea7902aa7966dbe
-
SSDEEP
24576:jtTZybAX4wvsuSrQKriOJaKZxNQOyGI0fCy6sX:pTH4J9OOUKZxeRGICJ6sX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
XHD.exeserver.exepid process 4336 XHD.exe 1660 server.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Temp\XHD.exe vmprotect behavioral2/memory/4336-19-0x0000000000400000-0x00000000005EC000-memory.dmp vmprotect behavioral2/memory/4336-12-0x0000000000400000-0x00000000005EC000-memory.dmp vmprotect behavioral2/memory/4336-22-0x0000000000400000-0x00000000005EC000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
XHD.exedescription ioc process File opened for modification \??\PhysicalDrive0 XHD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1372 1660 WerFault.exe server.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exeXHD.exeserver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XHD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Processes:
XHD.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" XHD.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch XHD.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" XHD.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\IESettingSync XHD.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exepid process 4488 6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe 4488 6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
XHD.exepid process 4336 XHD.exe 4336 XHD.exe 4336 XHD.exe 4336 XHD.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exedescription pid process target process PID 4488 wrote to memory of 4336 4488 6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe XHD.exe PID 4488 wrote to memory of 4336 4488 6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe XHD.exe PID 4488 wrote to memory of 4336 4488 6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe XHD.exe PID 4488 wrote to memory of 1660 4488 6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe server.exe PID 4488 wrote to memory of 1660 4488 6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe server.exe PID 4488 wrote to memory of 1660 4488 6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6db54668b8e6b8bae2796c3d10d5fcb1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\Temp\XHD.exe"C:\Users\Admin\AppData\Local\Temp\Temp\XHD.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\Temp\server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 2283⤵
- Program crash
PID:1372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1660 -ip 16601⤵PID:4460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832KB
MD5c740c33896ddee93e02a6832d77a3902
SHA17bd86871ecb323e5b091b66aee689440871cb60f
SHA256ffea64971272950d7f378045942cfba1e30bbb27e1e3d0fa92e2267b49716ac0
SHA5128eacf9706b09a563f72408390876648bd1616f1a511878b05329347915619c6d2fdb7fad1c9ca2cf4cf643eb2990f99679f27c30d4779c7be58c2f2855c27574
-
Filesize
20KB
MD501daa39433f4f687cd84c5c7c3142cad
SHA15cb48ad01f7e0cd9c0d35611cff6c2931013c07e
SHA256957cb6fdd8eb9c6065aad0aa536a3251e065ebab7fd6c43e19f2df638a73fc4c
SHA512d54daba1922bb27851d3f003f6690f5eabb14b21efd817d822ddf561023bd4ccd775dc25d0fab56ea5b6ad130fe8d8e5600bef44821445f1585fa6a417d58a7e