Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 12:52
Behavioral task
behavioral1
Sample
1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe
-
Size
37KB
-
MD5
1b5e9b41d4655cc7606ddd1e3eb99412
-
SHA1
45b4030dcdaee61dc483bf6a7a247fb1a95da3e7
-
SHA256
91ec9033043c030c6ceb73093da3dff25f8ec66446a4d2fedc45517fcbb0e471
-
SHA512
6e0ebd92159ae527e584ed1c58a80f90f78f151b2940e75c40f6913edab8968bbc876a4d3b3e869ce9da0675608020b319db8edf1bc67a35fd9a5d00b13e0b7f
-
SSDEEP
768:daRaNDkIPL0KvmjqW0jbWHJa2DcIPZ5clNs6fpv0/iAy1gLlH3Z4JEXNnbcuyD7D:dHNDkmLfmmW0waGCNs6KRy1gLlXZ9XNW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
ctfmon.exepid process 3264 ctfmon.exe -
Loads dropped DLL 1 IoCs
Processes:
1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exepid process 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/3568-0-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/3568-19-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\240606593n02.dll vmprotect -
Drops file in Windows directory 2 IoCs
Processes:
1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exedescription ioc process File created C:\Windows\ctfmon.exe 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe File opened for modification C:\Windows\ctfmon.exe 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exepid process 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exepid process 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exedescription pid process target process PID 3568 wrote to memory of 3264 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe ctfmon.exe PID 3568 wrote to memory of 3264 3568 1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe ctfmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b5e9b41d4655cc7606ddd1e3eb99412_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\ctfmon.exe"C:\Windows\ctfmon.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240606593n02.dllFilesize
66KB
MD5ec39468e25be5f579339bbcf0b90317f
SHA1dd8675cbf093194a05d94df6b71c649c4cab4803
SHA2561749618bc984d1e546bfbb5c16bfcb9187c13b7e402a1f29a6a7eec86f743e43
SHA51265f8cb19b82cb067d415597afd24ceacda253b7769784bd4c92c09536db91b87d509cde3280fc71397f5c3f2326a512fcfdd63a83bffbd20c343c3e1eb5db84c
-
C:\Windows\ctfmon.exeFilesize
207KB
MD51c1760ed4d19cdbecb2398216922628b
SHA166b6158b28cc2b970e454b6a8cf1824dd99e4029
SHA256d66458a3eb1b68715b552b3af32a9d2e889bbf8ac0c23c1afa8d0982023d1ce2
SHA512f058eda0c65e59105a7c794721697782f1e1db759c69a11dab09ca454aa89767addcc8ecefa54995527bc2cae983e44c9ed42b0973fdb47435b31428150b96db
-
memory/3568-0-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3568-19-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB