Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe
-
Size
188KB
-
MD5
4392965471b92a09e1ba10a9abc32971
-
SHA1
22ca625498f7f76e3eb0fadf74a3b1a9646870f5
-
SHA256
50ea1e942bb6a861e5ce8e1c3197d69fa35054e5ffbc104ef20ac104854193d4
-
SHA512
1fff6c6a1cca37436d78c1e6cd212bf49a75e7d720893e9e1a9894d8ab20593a3b4e2b258c27c9eaf1f6b37c07003f601370e3f61848c686a237c4e23d3b186a
-
SSDEEP
1536:l/KVvhq8aP//mEGE7NqeT0GQpTLSsE9mQZjFE4ahXohF5kYlmM4Q7/hsULFfAuv:xHx/mRE0e0Ga/E9DFt2ohFrlN/2+oI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4812 JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4812 wrote to memory of 3524 4812 JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe 85 PID 4812 wrote to memory of 3524 4812 JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe 85 PID 4812 wrote to memory of 3524 4812 JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4392965471b92a09e1ba10a9abc32971.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Hnb..bat" > nul 2> nul2⤵
- System Location Discovery: System Language Discovery
PID:3524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238B
MD59be30ead1f00e32e54f1168e793f3537
SHA18bfda875a92c791c441717326b284afba57bce2c
SHA256de2d1731f3010e2c76a33181e1e4bca4572a66b9a536bf8c050a0d85978cdabb
SHA5124970fd613a799776d073a48bdeb5868b04f397cb80c383705cdc8bf146ad8a94aeec2acb4b8d84c2bd3c3c97a7fe073296052aa5eba85f22d8896cd1aeb92c84