Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 16:01
Static task
static1
Behavioral task
behavioral1
Sample
1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
1fedb1fbce0fc41feabd5c54164547b5
-
SHA1
d75001fa1f4ff2a391aef04a5158b803d54798cd
-
SHA256
6e5988c481f6aeb587b13c8ac878c14a14bae316461f02698025e2abc420ee82
-
SHA512
c5c08e202bd212340e581448dbf6d351ce3fd835313bb05e4b6fb344ba4bb47b9a76d8bba2a4a70c4a3fdcc64fd9fa7fc3926d606482d57abdf0c7323f321521
-
SSDEEP
24576:HnHngD0Mmf9IvYzAne5uxTjpB0GsdYksLtXf+PIDmJusil3P+uuxT8FtrkzqaiP2:nse5+vv1afusa32dg7dAxxHy4ehFK
Malware Config
Extracted
latentbot
yeniceriler.zapto.org
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RUNDLL.EXE1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exemickey.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation RUNDLL.EXE Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation mickey.exe -
Executes dropped EXE 3 IoCs
Processes:
mickey.exeRUNDLL.EXEUNINS000.EXEpid process 2636 mickey.exe 2892 RUNDLL.EXE 808 UNINS000.EXE -
Loads dropped DLL 4 IoCs
Processes:
RUNDLL.EXEUNINS000.EXEpid process 2892 RUNDLL.EXE 2892 RUNDLL.EXE 808 UNINS000.EXE 808 UNINS000.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exemickey.exeRUNDLL.EXEpid process 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe 2636 mickey.exe 2636 mickey.exe 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe 2892 RUNDLL.EXE 2892 RUNDLL.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RUNDLL.EXEpid process 2892 RUNDLL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exemickey.exeRUNDLL.EXEcmd.execmd.exedescription pid process target process PID 968 wrote to memory of 2636 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe mickey.exe PID 968 wrote to memory of 2636 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe mickey.exe PID 968 wrote to memory of 2636 968 1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe mickey.exe PID 2636 wrote to memory of 2892 2636 mickey.exe RUNDLL.EXE PID 2636 wrote to memory of 2892 2636 mickey.exe RUNDLL.EXE PID 2636 wrote to memory of 2892 2636 mickey.exe RUNDLL.EXE PID 2636 wrote to memory of 808 2636 mickey.exe UNINS000.EXE PID 2636 wrote to memory of 808 2636 mickey.exe UNINS000.EXE PID 2636 wrote to memory of 808 2636 mickey.exe UNINS000.EXE PID 2892 wrote to memory of 1804 2892 RUNDLL.EXE cmd.exe PID 2892 wrote to memory of 1804 2892 RUNDLL.EXE cmd.exe PID 2892 wrote to memory of 1804 2892 RUNDLL.EXE cmd.exe PID 1804 wrote to memory of 4344 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 4344 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 4344 1804 cmd.exe cmd.exe PID 4344 wrote to memory of 1088 4344 cmd.exe reg.exe PID 4344 wrote to memory of 1088 4344 cmd.exe reg.exe PID 4344 wrote to memory of 1088 4344 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mickey.exe"C:\Users\Admin\AppData\Local\Temp\mickey.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f6⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Roaming\UNINS000.EXE"C:\Users\Admin\AppData\Roaming\UNINS000.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mickey.exeFilesize
1.9MB
MD5fda26ab58b66096bdd8f8e1cb79569c7
SHA1d581aa899a4379b39eabd7101c1c5dbfc2c20e75
SHA256c9f50f5cecae36801a6af58c4a963677ac841bd906c9610c81a9459aa4fea12a
SHA51247e0928bc7cbbf6b06e8b6a7e6167005cda7303d04e600f015fe8c4282202b123726c1fbc4b856a55eceed6d12b02a72b12f31bce3f0956e40bcdf2e97a4d90d
-
C:\Users\Admin\AppData\Local\Temp\run.batFilesize
145B
MD56b8393408a3f2df19ff1e68a4f720729
SHA103cbc980dd47a33bdfa18be80cbd3efdbbaf95c6
SHA256623fecae412449f60ffd8f38862e73504124afb0754952a45103daff0de5a7c9
SHA512235e3c1f0074282c8cd8d6d9b6dc0c71ae591f5ca6a2f2248f832359a1a452cfce26b5f80fddc5acd5aae811630441b640212b9b7a885f2d69e67813d8d846ca
-
C:\Users\Admin\AppData\Roaming\ntldr.dllFilesize
495KB
MD555b218cafac2281a0d3ba330e8c4930b
SHA1b145044d120088be49f1c5d378b86560e69b1eb3
SHA25672d99aa9b9f1f3c675c185fe983e303afecf4e8971e2e83d41b062c3588866a4
SHA512f106a6950f8ce1f432a7fb15051c8dd787b68b3151739d58aecc5ed69500dfb9c695a6d203e0f2d2746bc83074243dc835275a24353bdc0f64917cc38b437206
-
C:\Users\Admin\AppData\Roaming\rundll.exeFilesize
512KB
MD5bc135565b79d80459045107690f8d840
SHA1e5daed1f571719a01ac6bae7c09044c0751492b5
SHA256dec0d5991ccd586dc1c4840b667643c92a93a8c0f2c68d84d32c140e1785c3e4
SHA5121a91089a5661ae54b40323021fea7e941e1a7b3894b5ecda3d3fda7fc4320247ef258688970edf3192a3a0d12ec8881e5795fd8b7bf08404191691b727784f03
-
C:\Users\Admin\AppData\Roaming\unins000.exeFilesize
679KB
MD50d44ba4db9a8f05b293ea264075b31dd
SHA1e894fcf4c0c3718021eb8d72e0d34c7d9b7cfd0c
SHA256aaae5d9d6783e9248919b1ad7b5f46b2b545e7d3faa59c864c485b61f1ad0973
SHA51221126a90a24ffc494f97eb34c9d2139b052dd586638618bda9d2c296c4844a6e7b1cb3e0f84315ae3f1b5c0cfe0d39c8f60d9a1fcc88c7167e69746da9cba776
-
memory/808-41-0x0000000005BE0000-0x0000000005C62000-memory.dmpFilesize
520KB
-
memory/808-38-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/808-43-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/808-44-0x0000000005BE0000-0x0000000005C62000-memory.dmpFilesize
520KB
-
memory/968-9-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2636-33-0x0000000000400000-0x00000000005F2000-memory.dmpFilesize
1.9MB
-
memory/2892-34-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/2892-30-0x0000000000A50000-0x0000000000AD2000-memory.dmpFilesize
520KB
-
memory/2892-45-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2892-46-0x0000000000A50000-0x0000000000AD2000-memory.dmpFilesize
520KB