Analysis
-
max time kernel
139s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe
-
Size
361KB
-
MD5
fb462b6cf7c1fcdd426c5735fd430bd3
-
SHA1
01500889439c8124e12355d8194e32f56031f6c7
-
SHA256
34f384a86860c3a97e6b95cc85434a4ca8e656892b42b48e7005d25d513c9ad2
-
SHA512
77db1c93686deba6b4efd91badfd14abc14f4c0d0aabdbb500f2436d72188149c4b560417251497cdee00645b9d399bb441fbcfc1b28ab96e61a9bb565c4b52f
-
SSDEEP
6144:0rL0HS/AR187m4HpjgGp3cqbleEHKJnMYBZc9aNIanX59EPCm:0roHS/ARKaGpfldcLXaaX59Y
Malware Config
Extracted
gcleaner
194.145.227.161
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/5064-2-0x0000000003DC0000-0x0000000003E08000-memory.dmp family_onlylogger behavioral2/memory/5064-3-0x0000000000400000-0x0000000002177000-memory.dmp family_onlylogger behavioral2/memory/5064-8-0x0000000003DC0000-0x0000000003E08000-memory.dmp family_onlylogger behavioral2/memory/5064-9-0x0000000000400000-0x0000000002177000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2004 5064 WerFault.exe fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe 2192 5064 WerFault.exe fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe 5080 5064 WerFault.exe fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe 448 5064 WerFault.exe fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe 4152 5064 WerFault.exe fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe 3676 5064 WerFault.exe fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe 3848 5064 WerFault.exe fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe 1104 5064 WerFault.exe fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2228 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2228 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.execmd.exedescription pid process target process PID 5064 wrote to memory of 3612 5064 fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe cmd.exe PID 5064 wrote to memory of 3612 5064 fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe cmd.exe PID 5064 wrote to memory of 3612 5064 fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe cmd.exe PID 3612 wrote to memory of 2228 3612 cmd.exe taskkill.exe PID 3612 wrote to memory of 2228 3612 cmd.exe taskkill.exe PID 3612 wrote to memory of 2228 3612 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 7242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 7922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 7842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9962⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "fb462b6cf7c1fcdd426c5735fd430bd3_JaffaCakes118.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5064 -ip 50641⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5064-1-0x0000000002250000-0x0000000002350000-memory.dmpFilesize
1024KB
-
memory/5064-2-0x0000000003DC0000-0x0000000003E08000-memory.dmpFilesize
288KB
-
memory/5064-3-0x0000000000400000-0x0000000002177000-memory.dmpFilesize
29.5MB
-
memory/5064-6-0x0000000002250000-0x0000000002350000-memory.dmpFilesize
1024KB
-
memory/5064-8-0x0000000003DC0000-0x0000000003E08000-memory.dmpFilesize
288KB
-
memory/5064-9-0x0000000000400000-0x0000000002177000-memory.dmpFilesize
29.5MB