Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe
-
Size
320KB
-
MD5
b13278b22966a77e73ba4e2d7b21c663
-
SHA1
a698b00e96fc5695f30ce86f2cffafdc801627b0
-
SHA256
95dd9969858c4190c605a39044ab1f42d42266dbf8881ee6ef5ef9ab072efc86
-
SHA512
9e2420d8f0271a5f6adc02942d0160f10edcfe84080b4c482ea87f21086fbd828b2dfa24f100ab517750b487830968931dd023490566eb5f4148696efc0a7be2
-
SSDEEP
6144:OZ5GHKqSccAXTIzUzWvxv7vV+G7zPoAz0Q54HeyJAud+V3Oj:ObGHKDccAX0AWvxzvV+zAz03HFB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exepid process 2360 b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe File created C:\Windows\assembly\Desktop.ini b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exedescription ioc process File opened for modification C:\Windows\assembly b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe File created C:\Windows\assembly\Desktop.ini b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exepid process 2360 b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exeb13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exedescription pid process Token: SeDebugPrivilege 4888 b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe Token: SeDebugPrivilege 2360 b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe Token: 33 2360 b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe Token: SeIncBasePriorityPrivilege 2360 b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exepid process 2360 b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.execmd.exedescription pid process target process PID 4888 wrote to memory of 2360 4888 b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe PID 4888 wrote to memory of 2360 4888 b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe PID 4888 wrote to memory of 2360 4888 b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe PID 4888 wrote to memory of 4544 4888 b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe cmd.exe PID 4888 wrote to memory of 4544 4888 b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe cmd.exe PID 4888 wrote to memory of 4544 4888 b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe cmd.exe PID 4544 wrote to memory of 3320 4544 cmd.exe PING.EXE PID 4544 wrote to memory of 3320 4544 cmd.exe PING.EXE PID 4544 wrote to memory of 3320 4544 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b13278b22966a77e73ba4e2d7b21c663_jaffacakes118\b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe"C:\Users\Admin\AppData\Local\Temp\b13278b22966a77e73ba4e2d7b21c663_jaffacakes118\b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\b13278b22966a77e73ba4e2d7b21c663_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b13278b22966a77e73ba4e2d7b21c663_jaffacakes118\b13278b22966a77e73ba4e2d7b21c663_jaffacakes118.exeFilesize
320KB
MD5b13278b22966a77e73ba4e2d7b21c663
SHA1a698b00e96fc5695f30ce86f2cffafdc801627b0
SHA25695dd9969858c4190c605a39044ab1f42d42266dbf8881ee6ef5ef9ab072efc86
SHA5129e2420d8f0271a5f6adc02942d0160f10edcfe84080b4c482ea87f21086fbd828b2dfa24f100ab517750b487830968931dd023490566eb5f4148696efc0a7be2
-
memory/2360-16-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/2360-17-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/2360-18-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/2360-20-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/2360-28-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/2360-29-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4888-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmpFilesize
4KB
-
memory/4888-1-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4888-2-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4888-3-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4888-19-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB