Analysis
-
max time kernel
143s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 14:57
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe
-
Size
64KB
-
MD5
40bf354a2f5f69e307f9498660a7275c
-
SHA1
8b43bf482c7f589d55c12d1066da4f193aeb7bbb
-
SHA256
4fe312ba8f103e4854f6587495146e342684f76874fb7937379062e56fc9110f
-
SHA512
71c12aa22bbcaccd14c281712f889f8342e06dd1bd70e0b2d4e0305d1ff8f285ec447a482bc79c47c89a27c6920dd525ba415887d37292cfd2fce960ce437b0a
-
SSDEEP
768:+wBVHpKTX6O91dbxSFhLfQmETEfax+T1i5JmuKFBXegYBn2RTijAvjx:+U4N91dbxCdomEToT1Z1e9AcI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4952 WinDefender.exe 1216 WinDefender.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefender.exe" JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefender.exe" JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5076 set thread context of 2104 5076 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 83 PID 4952 set thread context of 1216 4952 WinDefender.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinDefender.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5076 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 4952 WinDefender.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 5076 wrote to memory of 2104 5076 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 83 PID 5076 wrote to memory of 2104 5076 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 83 PID 5076 wrote to memory of 2104 5076 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 83 PID 5076 wrote to memory of 2104 5076 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 83 PID 5076 wrote to memory of 2104 5076 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 83 PID 5076 wrote to memory of 2104 5076 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 83 PID 5076 wrote to memory of 2104 5076 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 83 PID 5076 wrote to memory of 2104 5076 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 83 PID 2104 wrote to memory of 4952 2104 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 84 PID 2104 wrote to memory of 4952 2104 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 84 PID 2104 wrote to memory of 4952 2104 JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe 84 PID 4952 wrote to memory of 1216 4952 WinDefender.exe 85 PID 4952 wrote to memory of 1216 4952 WinDefender.exe 85 PID 4952 wrote to memory of 1216 4952 WinDefender.exe 85 PID 4952 wrote to memory of 1216 4952 WinDefender.exe 85 PID 4952 wrote to memory of 1216 4952 WinDefender.exe 85 PID 4952 wrote to memory of 1216 4952 WinDefender.exe 85 PID 4952 wrote to memory of 1216 4952 WinDefender.exe 85 PID 4952 wrote to memory of 1216 4952 WinDefender.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bf354a2f5f69e307f9498660a7275c.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe"C:\Users\Admin\AppData\Local\Temp\WinDefender.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe"C:\Users\Admin\AppData\Local\Temp\WinDefender.exe"4⤵
- Executes dropped EXE
PID:1216
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD540bf354a2f5f69e307f9498660a7275c
SHA18b43bf482c7f589d55c12d1066da4f193aeb7bbb
SHA2564fe312ba8f103e4854f6587495146e342684f76874fb7937379062e56fc9110f
SHA51271c12aa22bbcaccd14c281712f889f8342e06dd1bd70e0b2d4e0305d1ff8f285ec447a482bc79c47c89a27c6920dd525ba415887d37292cfd2fce960ce437b0a