Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 02:12
Static task
static1
Behavioral task
behavioral1
Sample
812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe
-
Size
237KB
-
MD5
812723d3e69a8a9543dd2ebeff8a7fa5
-
SHA1
52c49fb43ebb5ef733ffe012c392ba8acceee202
-
SHA256
1ab4bda709b6dec9b2d4df647e0d4372b1aa9a712b65a32fcc33642005d57e08
-
SHA512
9205f751ecbccb1d62a0236c7ddb4132e797d75a375f9191fd626cb86fde6625bb6bbd0bc00ecc3429ec6e7861b577761745514f4a81a0473066c7a7d7fdbae6
-
SSDEEP
6144:2bNfTsrH63mizzzT7nn7EqNuaV60k97lUf+Ld:EAe3mizzzTz7Eioh97lFd
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation EuroP.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation E4U.exe -
Executes dropped EXE 6 IoCs
pid Process 3696 cb.exe 1540 ic9.exe 3528 EuroP.exe 1156 E4U.exe 2984 Gi.exe 4764 geurge.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ewrgetuj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\geurge.exe" Gi.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: geurge.exe File opened (read-only) \??\e: geurge.exe File opened (read-only) \??\g: geurge.exe File opened (read-only) \??\l: geurge.exe File opened (read-only) \??\o: geurge.exe File opened (read-only) \??\p: geurge.exe File opened (read-only) \??\s: geurge.exe File opened (read-only) \??\q: geurge.exe File opened (read-only) \??\v: geurge.exe File opened (read-only) \??\w: geurge.exe File opened (read-only) \??\x: geurge.exe File opened (read-only) \??\y: geurge.exe File opened (read-only) \??\j: geurge.exe File opened (read-only) \??\n: geurge.exe File opened (read-only) \??\u: geurge.exe File opened (read-only) \??\z: geurge.exe File opened (read-only) \??\a: geurge.exe File opened (read-only) \??\h: geurge.exe File opened (read-only) \??\i: geurge.exe File opened (read-only) \??\k: geurge.exe File opened (read-only) \??\m: geurge.exe File opened (read-only) \??\r: geurge.exe File opened (read-only) \??\t: geurge.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
resource yara_rule behavioral2/files/0x0008000000023baf-47.dat upx behavioral2/memory/2984-58-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4764-73-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2984-80-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4764-82-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2272 sc.exe 1544 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 364 1540 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EuroP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language geurge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ic9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E4U.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1156 E4U.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2984 Gi.exe 2984 Gi.exe 2984 Gi.exe 2984 Gi.exe 4764 geurge.exe 4764 geurge.exe 4764 geurge.exe 4764 geurge.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 3212 wrote to memory of 3696 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 84 PID 3212 wrote to memory of 3696 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 84 PID 3212 wrote to memory of 3696 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 84 PID 3212 wrote to memory of 1540 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 88 PID 3212 wrote to memory of 1540 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 88 PID 3212 wrote to memory of 1540 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 88 PID 3212 wrote to memory of 3528 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 89 PID 3212 wrote to memory of 3528 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 89 PID 3212 wrote to memory of 3528 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 89 PID 3212 wrote to memory of 1156 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 91 PID 3212 wrote to memory of 1156 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 91 PID 3212 wrote to memory of 1156 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 91 PID 3212 wrote to memory of 2984 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 92 PID 3212 wrote to memory of 2984 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 92 PID 3212 wrote to memory of 2984 3212 812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe 92 PID 3528 wrote to memory of 2412 3528 EuroP.exe 96 PID 3528 wrote to memory of 2412 3528 EuroP.exe 96 PID 3528 wrote to memory of 2412 3528 EuroP.exe 96 PID 1156 wrote to memory of 4660 1156 E4U.exe 97 PID 1156 wrote to memory of 4660 1156 E4U.exe 97 PID 1156 wrote to memory of 4660 1156 E4U.exe 97 PID 2984 wrote to memory of 4764 2984 Gi.exe 99 PID 2984 wrote to memory of 4764 2984 Gi.exe 99 PID 2984 wrote to memory of 4764 2984 Gi.exe 99 PID 2984 wrote to memory of 1528 2984 Gi.exe 101 PID 2984 wrote to memory of 1528 2984 Gi.exe 101 PID 2984 wrote to memory of 1528 2984 Gi.exe 101 PID 2984 wrote to memory of 2272 2984 Gi.exe 102 PID 2984 wrote to memory of 2272 2984 Gi.exe 102 PID 2984 wrote to memory of 2272 2984 Gi.exe 102 PID 2984 wrote to memory of 2444 2984 Gi.exe 103 PID 2984 wrote to memory of 2444 2984 Gi.exe 103 PID 2984 wrote to memory of 2444 2984 Gi.exe 103 PID 2984 wrote to memory of 1544 2984 Gi.exe 104 PID 2984 wrote to memory of 1544 2984 Gi.exe 104 PID 2984 wrote to memory of 1544 2984 Gi.exe 104 PID 2984 wrote to memory of 3556 2984 Gi.exe 105 PID 2984 wrote to memory of 3556 2984 Gi.exe 105 PID 2984 wrote to memory of 3556 2984 Gi.exe 105 PID 2444 wrote to memory of 2760 2444 net.exe 111 PID 2444 wrote to memory of 2760 2444 net.exe 111 PID 2444 wrote to memory of 2760 2444 net.exe 111 PID 1528 wrote to memory of 3216 1528 net.exe 112 PID 1528 wrote to memory of 3216 1528 net.exe 112 PID 1528 wrote to memory of 3216 1528 net.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\812723d3e69a8a9543dd2ebeff8a7fa5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\cb.exe"C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\cb.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3696
-
-
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe"C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\ic9.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 2723⤵
- Program crash
PID:364
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe"C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\EuroP.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Msj..bat" > nul 2> nul3⤵
- System Location Discovery: System Language Discovery
PID:2412
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe"C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\E4U.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:4660
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe"C:\Users\Admin\AppData\Local\Temp\nsk9F7E.tmp\Gi.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\geurge.exeC:\Users\Admin\AppData\Local\Temp\geurge.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4764
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵
- System Location Discovery: System Language Discovery
PID:3216
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2272
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)4⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\tujserrew.bat""3⤵
- System Location Discovery: System Language Discovery
PID:3556
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1540 -ip 15401⤵PID:3680
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD5df5f881c0c771871329bf82305b79b20
SHA162b0c32e61c92a29f1be786cd1634b80ef97d1be
SHA2566566bfa7b5d7565bb5cd35e6f2b4b89cb7d687e17c3919aba50caded602f3904
SHA5123e10b918329a829d53794be7969719b419ee253035c1c35d4031b1e3316a9405f3d97dc369f0f510947207939de55c3f68105d4a66ee0886cf25c70ee0177b0b
-
Filesize
22KB
MD588afc5e074effdce294e0da16c805d0f
SHA1bf5f183d44ccf8fab7462022a464981c59119d96
SHA256a41df47a6ed0cc26973c4bc1452f7d2e21946157552a5515052dc8642b48743e
SHA512c53e10bd860b24bc28d9b6f0b9ddd2840b62f677bb4a2e181315b53553eb8c52f13bd6c065a43b6c577f03c8952288f76f61ba799756a731ce54d0099e46da2a
-
Filesize
58KB
MD54799c30743d59d162a7a4d0f16bce415
SHA121b11dfedac88b1009b6459b92076b2278954183
SHA256acc6f5666df365ac19248f7854ae8d3753e126ab5125975e232e9d7b924523f1
SHA512bb67e53a36cbb7f73d71c4cb1a75996481ca0646cf73565ef3f34973bc42384aff47d625f171385a3d677e336758e3b5a35ef7f5c2dd21b471f55bf5ff0d8ebd
-
Filesize
72KB
MD52ca85ee33f90ba3705885737aa656a40
SHA1e9f4331ef93d63e1c89707d6acdf699fc095a9b5
SHA256b34881d5e2d3933dc467ed65bf05dc43fc17dac7d3c30d0cc89b98fbe71dcafa
SHA5129ce38d53fa1311c81943d03026b3c1dece41bec20ac109dcb46c9a5766ffb93396af57f6d440d095e205ecc025655b648ea1e73f600126bafbf6fc768ea80787
-
Filesize
3KB
MD546e07fd3a40760fda18cf6b4fc691742
SHA153ee1a754bf5e94fa88a6ab8bb6120b4011afcfa
SHA256bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be
SHA512ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd
-
Filesize
81KB
MD528ee9992c5cc76a2a2385eaa7423411c
SHA196b5485154f44094627770d5fcf7a4a80aaa111e
SHA2569fb5e5110b4fa98c20c90c6f597a09baaf7c301e417a4d2ac7dcdcf6c19cfea1
SHA51216ff019cb3ca0cae00a4336d0dd77d95cdcd3bce8b064f3072a9d3622bf190290eb33ca8500cb26f104da80df9704f98584c234dd243804547e0c45605c6276e
-
Filesize
130B
MD5d08cb97e3b90ca2dac463f834008b9b9
SHA13db0d4da98d144669284f50d9e8ea87a988ac93a
SHA256033632928b0c1a737728bb51db824f5fc92c84cbebae99553e8a1f40bd05b8f9
SHA512d843a43695c808bf3ee6088e5213f5b97f225412c36a41778a41a950c7459e4e9c4332b98bc9007544863e4d39b5f11bf15308ceeaceff7320847d301febe97d