Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 07:51
Static task
static1
Behavioral task
behavioral1
Sample
1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe
-
Size
356KB
-
MD5
1a803aa01ae2e2d63cc77268df29cd81
-
SHA1
cffd01a22412e9c97d452eba82afeaaad68e80b7
-
SHA256
1b5407e195523efb8b3a0a8f158a4711d7542566814e0768561bfa344f8ba01e
-
SHA512
cb003bf9d6afdadb40a5e72f4930688d082947c489d30f3dea6d834ea53e8a4c9991df9a9fcdbfc22337d28643ea2228c89cd511a1c048298ff5bee782ccefec
-
SSDEEP
6144:zWv4Cm0pH6+aBYHoAaqWeN+m0t11BLefT+in19wOlDzPGUC:zWv4Cm0Z0SoA570tX059wOlDC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
1277497836.exeinstall.48596.exepid process 4284 1277497836.exe 3212 install.48596.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exedescription pid process target process PID 1336 set thread context of 1376 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1052 3212 WerFault.exe install.48596.exe 2328 4284 WerFault.exe 1277497836.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exepid process 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1376 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exedescription pid process target process PID 1336 wrote to memory of 1376 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe PID 1336 wrote to memory of 1376 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe PID 1336 wrote to memory of 1376 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe PID 1336 wrote to memory of 1376 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe PID 1336 wrote to memory of 1376 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe PID 1336 wrote to memory of 1376 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe PID 1336 wrote to memory of 1376 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe PID 1336 wrote to memory of 1376 1336 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe PID 1376 wrote to memory of 4284 1376 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1277497836.exe PID 1376 wrote to memory of 4284 1376 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1277497836.exe PID 1376 wrote to memory of 4284 1376 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe 1277497836.exe PID 1376 wrote to memory of 3212 1376 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe install.48596.exe PID 1376 wrote to memory of 3212 1376 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe install.48596.exe PID 1376 wrote to memory of 3212 1376 1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe install.48596.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a803aa01ae2e2d63cc77268df29cd81_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1277497836.exe"C:\Users\Admin\AppData\Local\Temp\1277497836.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 4324⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\install.48596.exe"C:\Users\Admin\AppData\Local\Temp\install.48596.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 2724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4284 -ip 42841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3212 -ip 32121⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1277497836.exeFilesize
95KB
MD5c8362f57cf7a2271a20c8056cc49b65e
SHA15d6740e14c0c6030bf5cb288ca4b1cad2e8a9a1d
SHA2569dbee09790bb0eff14a644fb7d4e5fc5fcec019aa0c80e4c8778076ba329eec8
SHA512a7fee49f3176658390ea23c077b7945eeb0dc6a8b3eec1f60d7d10e4645439e39cd7d0de8368d16fc9c06f2b5d05fb5f77de6f73edbd82b0372b4b83fe9a3494
-
C:\Users\Admin\AppData\Local\Temp\install.48596.exeFilesize
124KB
MD597232d4a91eebac55a4aa3037ef676b3
SHA100a7dd88a5c9aafd7f82352457b6b578c69a2539
SHA256981faf0980638057cb656e7921257ff3a2a44231c03495f7e6a19cf7ece20754
SHA512e5825f34f8ca6f164f8ae76a2d1a4670daed257733df764cc60d60f7e5f10c13478d3c757dc7de5028f1dcdd00343d16ff4ea500e7a9ce8951772acca2120ccb
-
memory/1376-2-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1376-4-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1376-31-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/3212-29-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/3212-30-0x00000000005D0000-0x00000000005FD000-memory.dmpFilesize
180KB