Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 04:12
Static task
static1
Behavioral task
behavioral1
Sample
8193921c017358677073e954745e86ed_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8193921c017358677073e954745e86ed_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8193921c017358677073e954745e86ed_JaffaCakes118.exe
-
Size
224KB
-
MD5
8193921c017358677073e954745e86ed
-
SHA1
9ab8e86034475a0bde55729fd2bbff0796baf695
-
SHA256
9f9bbe3b5733adff8b9c349407580800e767cd01eb71dbbe2f7df78c87f8dca2
-
SHA512
974df8c61a371d615352949438ec870dc1ec82701eae976843122091bca1751e8fbd1d9be105e1c30e560e3df4f693c4ddb4f11477d95ec1f57b9ac01bfb4152
-
SSDEEP
3072:k4JwsSux9D3OaiGY0VdV6dUPuD0VKir9QzFL6aqEYDKEuj/Rr0kAx:k4n3OBWvV6KPPUw+6aqEYGE8RokG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 8193921c017358677073e954745e86ed_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2772 240625921.exe 1948 240629671.exe 2424 QQ2011.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\QQ2011\QQ2011.exe 240629671.exe File created C:\Windows\QQ2011\QQ2011.exe 240629671.exe File opened for modification C:\Windows\VKsqO 240629671.exe File opened for modification C:\Windows\QQ2011\QQ2011.exe QQ2011.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4800 1948 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240629671.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QQ2011.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8193921c017358677073e954745e86ed_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240625921.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1948 240629671.exe 1948 240629671.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2772 2452 8193921c017358677073e954745e86ed_JaffaCakes118.exe 87 PID 2452 wrote to memory of 2772 2452 8193921c017358677073e954745e86ed_JaffaCakes118.exe 87 PID 2452 wrote to memory of 2772 2452 8193921c017358677073e954745e86ed_JaffaCakes118.exe 87 PID 2772 wrote to memory of 1964 2772 240625921.exe 91 PID 2772 wrote to memory of 1964 2772 240625921.exe 91 PID 2772 wrote to memory of 1964 2772 240625921.exe 91 PID 2452 wrote to memory of 1948 2452 8193921c017358677073e954745e86ed_JaffaCakes118.exe 93 PID 2452 wrote to memory of 1948 2452 8193921c017358677073e954745e86ed_JaffaCakes118.exe 93 PID 2452 wrote to memory of 1948 2452 8193921c017358677073e954745e86ed_JaffaCakes118.exe 93 PID 1948 wrote to memory of 2424 1948 240629671.exe 94 PID 1948 wrote to memory of 2424 1948 240629671.exe 94 PID 1948 wrote to memory of 2424 1948 240629671.exe 94 PID 2424 wrote to memory of 4952 2424 QQ2011.exe 95 PID 2424 wrote to memory of 4952 2424 QQ2011.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\8193921c017358677073e954745e86ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8193921c017358677073e954745e86ed_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\240625921.exeC:\Users\Admin\AppData\Local\Temp\\240625921.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\240625921.exe3⤵
- System Location Discovery: System Language Discovery
PID:1964
-
-
-
C:\Users\Admin\AppData\Local\Temp\240629671.exe"C:\Users\Admin\AppData\Local\Temp\240629671.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\QQ2011\QQ2011.exeC:\Windows\QQ2011\QQ2011.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:4952
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 5923⤵
- Program crash
PID:4800
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 19481⤵PID:2020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD54b54f3964c4d90a0fca8702309240e78
SHA1c5f7fc4fb4d3cb4035c5671bbe6ef4d025a48abe
SHA2560a7d73320f550a97d1a2f9a1e3db8e3beea41b74e64e44c82eca8eae362d9b8f
SHA51219b6a77adbde8e0118c3fbade9a7eb6e2b278071a2e07dedddb118a6411dac42a5b7d4075ab324e1293c4e25501a5f474c663ad81afb4b4d601886b28987f1fe