Analysis
-
max time kernel
127s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
-
Size
400KB
-
MD5
837b3ee12cc0ddd81bfcf0c7b57e3dfc
-
SHA1
70612835e9d261454200ce963af55bb553b8b486
-
SHA256
e356e0ab1bc38eac26f1e4caea3acae40f70b910a961555ae1c6ffa02a4d20a8
-
SHA512
7df022a6445e09d52c39c717ebc3b77b3201beb2ab09d8c0aea4cc88f4253a708fa63949d27d21f04626fcdbc33bbd6293e3248f792adc7b769c6cec0d8ccca0
-
SSDEEP
6144:xpMt2bRtHVlAKFMFkBiCl1zfWbq4iofuz3rWrthaU1m4R0a6LD:xpMt2/H/Fxi+1z0q4NWz7Wna
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation your_exe.exe -
Executes dropped EXE 3 IoCs
pid Process 3120 your_exe.exe 5052 1281085013.exe 2092 install.48596.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2844 set thread context of 372 2844 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4060 5052 WerFault.exe 87 1188 2092 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.48596.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language your_exe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1281085013.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3120 your_exe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2844 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 372 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2844 wrote to memory of 372 2844 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 84 PID 2844 wrote to memory of 372 2844 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 84 PID 2844 wrote to memory of 372 2844 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 84 PID 2844 wrote to memory of 372 2844 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 84 PID 2844 wrote to memory of 372 2844 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 84 PID 372 wrote to memory of 3120 372 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 86 PID 372 wrote to memory of 3120 372 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 86 PID 372 wrote to memory of 3120 372 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 86 PID 372 wrote to memory of 5052 372 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 87 PID 372 wrote to memory of 5052 372 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 87 PID 372 wrote to memory of 5052 372 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 87 PID 372 wrote to memory of 2092 372 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 88 PID 372 wrote to memory of 2092 372 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 88 PID 372 wrote to memory of 2092 372 837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe 88 PID 3120 wrote to memory of 4496 3120 your_exe.exe 101 PID 3120 wrote to memory of 4496 3120 your_exe.exe 101 PID 3120 wrote to memory of 4496 3120 your_exe.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\your_exe.exe"C:\Users\Admin\AppData\Local\Temp\your_exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\your_exe.exe > nul4⤵
- System Location Discovery: System Language Discovery
PID:4496
-
-
-
C:\Users\Admin\AppData\Local\Temp\1281085013.exe"C:\Users\Admin\AppData\Local\Temp\1281085013.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 5804⤵
- Program crash
PID:4060
-
-
-
C:\Users\Admin\AppData\Local\Temp\install.48596.exe"C:\Users\Admin\AppData\Local\Temp\install.48596.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 4084⤵
- Program crash
PID:1188
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2092 -ip 20921⤵PID:2316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5052 -ip 50521⤵PID:3500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5f1f2b7aaee1e44a366db28c98a515f94
SHA1953fd34b1ca2e3558cda001be4adbb2d5d033134
SHA2561963792c0cd11a3817682cf30395d90e49869d8c31030622585dce3053da259b
SHA5122a9f6235fbb59046b3ad2f6483ea7b8d7f48c90ae57e4e704732fc9d9b2fdda8a9f9e6a27bba697e96b99f32bafe9a4ce96bac6310586c54a9e2e433e3f535e9
-
Filesize
8KB
MD53fa9af629784122319066f2d1cae66d8
SHA198737ac0c9f86fcdbf94e2dd162663bdbd26c5e1
SHA256067506f7c94f53c20c3a289dda6e8812babbf5dc9a1a140e3a00b0f35a571f33
SHA512dcea7c1a3ed124fcbb4aa0c1d38cdb46c0d703f08ab0ac0b9394a6cb22a398cb6221fc4d594aaa792f589ca2f6bf9b0b49622faf3b7de7a795339f0525a5096e
-
Filesize
92KB
MD573ab199d7ab02007c908122e892ca1c3
SHA101614a27abc6a64ed6479ca2f6596b8b6d2d31a6
SHA2563d0932127b9ae4643a8040b11deff670ce00844a0a4dc9bccc2cd6f4c715cd5f
SHA512b506ad5d819d4d289148a91c5905cf9e65846c2a4a7f1f51585218728f54dc334c605df5d434f2c97e1bb353d6ec737fbbd3ba7763be107c969a0ff2de7346fb
-
Filesize
129KB
MD54eea964cf5ee8eaaa4561798f69ed259
SHA1f6fa8f310f8a439941acbeb25d3653c8cd130318
SHA2563f9ea9e74b1a280508dacd0312b144b1c44d6f08077783656dd45f1b0df9144f
SHA51296d080102bf3e99581b4e8dd98e40174a0709bb237ff042b869fb404ad24ebc4b74e33844bd10c378692c561298dafa346577094b6ae763e5e3740b8c6fb4b20
-
Filesize
22KB
MD575ecb408da996d0d7f33dd77f6eb1c9c
SHA1b836e9125bd643358bda960e50637a8ea172b495
SHA256fa8652151b8bb6daeb86b97c5c705886028e587a5be366e0c228849c9bcbd078
SHA512f9933923ccfbc04ddb95090a78698737355128aff01fd2713a1cd029c5c32bc37d29c01714c663eaa89ca604efdd80b16a27ec8ed7eb2769837a7130fa7bbccd