Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 15:10
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe
-
Size
106KB
-
MD5
40da04fcf5c478f81c2ad99e0078b643
-
SHA1
bdb3e0336ce7040841b095b8b12c6b8630406a7a
-
SHA256
d0009e117bc2212da7d1c94b5fb90793f8d7fe2ed462e24c87dafd8bb8c93e99
-
SHA512
a730a97e7ee8b9f5416abc3d3c64ed231c2b1d6abcf941aba6d8e5300ac518c0a7e2a3c493cc4a19abad5ed8d6e0bc8a63d121f28a08725ab2e9ea45a4a0d64d
-
SSDEEP
3072:Qkjte7YxTW8OmbhUMyPagMVVVVVVVVVVVVx:hI7WgMVVVVVVVVVVVVx
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
pid Process 2140 wins.exe 572 wins.exe 1364 wins.exe 852 wins.exe 3436 wins.exe 5112 wins.exe 668 wins.exe 4896 wins.exe 3144 wins.exe 3516 wins.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wins.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1596 wrote to memory of 2140 1596 JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe 82 PID 1596 wrote to memory of 2140 1596 JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe 82 PID 1596 wrote to memory of 2140 1596 JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe 82 PID 2140 wrote to memory of 572 2140 wins.exe 90 PID 2140 wrote to memory of 572 2140 wins.exe 90 PID 2140 wrote to memory of 572 2140 wins.exe 90 PID 572 wrote to memory of 1364 572 wins.exe 92 PID 572 wrote to memory of 1364 572 wins.exe 92 PID 572 wrote to memory of 1364 572 wins.exe 92 PID 1364 wrote to memory of 852 1364 wins.exe 94 PID 1364 wrote to memory of 852 1364 wins.exe 94 PID 1364 wrote to memory of 852 1364 wins.exe 94 PID 852 wrote to memory of 3436 852 wins.exe 95 PID 852 wrote to memory of 3436 852 wins.exe 95 PID 852 wrote to memory of 3436 852 wins.exe 95 PID 3436 wrote to memory of 5112 3436 wins.exe 96 PID 3436 wrote to memory of 5112 3436 wins.exe 96 PID 3436 wrote to memory of 5112 3436 wins.exe 96 PID 5112 wrote to memory of 668 5112 wins.exe 97 PID 5112 wrote to memory of 668 5112 wins.exe 97 PID 5112 wrote to memory of 668 5112 wins.exe 97 PID 668 wrote to memory of 4896 668 wins.exe 98 PID 668 wrote to memory of 4896 668 wins.exe 98 PID 668 wrote to memory of 4896 668 wins.exe 98 PID 4896 wrote to memory of 3144 4896 wins.exe 99 PID 4896 wrote to memory of 3144 4896 wins.exe 99 PID 4896 wrote to memory of 3144 4896 wins.exe 99 PID 3144 wrote to memory of 3516 3144 wins.exe 100 PID 3144 wrote to memory of 3516 3144 wins.exe 100 PID 3144 wrote to memory of 3516 3144 wins.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 1076 "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40da04fcf5c478f81c2ad99e0078b643.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 1152 "C:\Windows\SysWOW64\wins.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 1128 "C:\Windows\SysWOW64\wins.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 1124 "C:\Windows\SysWOW64\wins.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 1132 "C:\Windows\SysWOW64\wins.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 1104 "C:\Windows\SysWOW64\wins.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 1140 "C:\Windows\SysWOW64\wins.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 1148 "C:\Windows\SysWOW64\wins.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 1144 "C:\Windows\SysWOW64\wins.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 1156 "C:\Windows\SysWOW64\wins.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3516
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD540da04fcf5c478f81c2ad99e0078b643
SHA1bdb3e0336ce7040841b095b8b12c6b8630406a7a
SHA256d0009e117bc2212da7d1c94b5fb90793f8d7fe2ed462e24c87dafd8bb8c93e99
SHA512a730a97e7ee8b9f5416abc3d3c64ed231c2b1d6abcf941aba6d8e5300ac518c0a7e2a3c493cc4a19abad5ed8d6e0bc8a63d121f28a08725ab2e9ea45a4a0d64d