Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 04:38
Behavioral task
behavioral1
Sample
dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
dfe9edfceb1ca6ebb94dd18919bfadeb
-
SHA1
178d4e316cdd7b707089928f6beaa91314eec834
-
SHA256
5c64f7f80b09582f6ad8049c4b7e9ea5ab62006630df5941a6733544fce5940d
-
SHA512
602746e05e90aa48288658bd97df8488a443d82c7f808294bb946435a1c8fcaa715e42711a62a4e455a5f8a918c3169aedabed7a073e1a66e959c2aab3e8071c
-
SSDEEP
24576:u2EBg1IYJE7MyO1RnYBRIKJhbO+jqM72mKePXVhZU0WABFlPF:S4JE7MRjYBRIKJ5Osr7cMFfU0nBFNF
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0008000000023cd2-12.dat aspack_v212_v242 behavioral2/files/0x0008000000023cd7-17.dat aspack_v212_v242 -
Executes dropped EXE 3 IoCs
pid Process 3236 morena.exe 4856 MORENA~1.EXE 2448 stub.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine stub.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" MORENA~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\morena.jpg morena.exe File opened for modification C:\Windows\morena.jpg morena.exe File created C:\Windows\__tmp_rar_sfx_access_check_240633921 morena.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3412 2448 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language morena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MORENA~1.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4552 wrote to memory of 3236 4552 dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe 82 PID 4552 wrote to memory of 3236 4552 dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe 82 PID 4552 wrote to memory of 3236 4552 dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe 82 PID 4552 wrote to memory of 4856 4552 dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe 83 PID 4552 wrote to memory of 4856 4552 dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe 83 PID 4552 wrote to memory of 4856 4552 dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe 83 PID 4856 wrote to memory of 2448 4856 MORENA~1.EXE 84 PID 4856 wrote to memory of 2448 4856 MORENA~1.EXE 84 PID 4856 wrote to memory of 2448 4856 MORENA~1.EXE 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dfe9edfceb1ca6ebb94dd18919bfadeb_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\morena.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\morena.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORENA~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORENA~1.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\stub.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\stub.exe3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 5884⤵
- Program crash
PID:3412
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2448 -ip 24481⤵PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD50d2c9d82d65344ffd4411fc43e5035db
SHA19ddec8a3b866f86abeda3aec706df50b9857fd40
SHA25611213144f3a0dc778cc1bedca3405720f27d068404debe849ebd505ba62da13d
SHA512918e6a61e7f116f9e8610980fd2c4ea7cea733333e0a0310c829e5f0bb61a6a46def8c49b267c7ff9ee85374c27c3c4fb2fa418afc1466eace51411956c9f7ef
-
Filesize
170KB
MD5707e13901eefb28204e1eea7806d27c2
SHA1053f829fb78e8b8898ba4a4a7680dde21bb857cb
SHA2564b85fc047bc52b4ea993669a71f77c5ef08ded1336c6d2f7ccca44617b4f0cab
SHA5123359258f4f39aca48bddbb9cb9b78d7b1670ad7c6cb3205f64861fc54fef65bcf3cccc2809a9f6876a586cafcc88ed755fbc22e349a1bd5201f291413d485169
-
Filesize
741KB
MD5f0c3d1dc95d0317ad9f7c847a0774d96
SHA1bdf81b0af7f773981b70125d2269408066e44c14
SHA25613fc3642c88957d237e79eda353b413f17047b76da76988679124ea06260af31
SHA51289e14ed790dd87598da01e8267da0c7cd8d88b0dde0dcd9cc77e41e6abdca948916119c0bc839636cadefecc96b6b4d6a05099aa36df231cdc3dfb98a60d494e