Analysis
-
max time kernel
149s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 11:53
Behavioral task
behavioral1
Sample
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe
-
Size
260KB
-
MD5
15e8a1c4d5021e76f933cb1bc895b9c2
-
SHA1
8c99da193987bdc6791844a050f9dd7af4dc1b6b
-
SHA256
666de371c4fa9b36781cc0cfb0964e7fc8cf7a0223e08aa07ecf7e06befc7397
-
SHA512
dacfa9e9ac314f58421d96dc0e2bcb2a85b0f3949d2e1f6f3781a5c96da82846ff28f60bb21f5c157f932ca06e3dcf134e1b80bc2956fa49e5a880c7608d3615
-
SSDEEP
3072:Fu+i+nbUpVIiCm6qrBbGBPQOfQQ6FpuB3zOa9vMpuk/Xey:4+iuqVtCm6qryIOf7Yp4jOa9Up9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
temp.exepid process 2020 temp.exe -
Drops file in System32 directory 4 IoCs
Processes:
sysprep.exedescription ioc process File opened for modification C:\Windows\system32\sysprep\Panther\diagerr.xml sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\diagwrn.xml sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\setupact.log sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\setuperr.log sysprep.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
temp.exepid process 2020 temp.exe 2020 temp.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3212 Explorer.EXE Token: SeCreatePagefilePrivilege 3212 Explorer.EXE Token: SeShutdownPrivilege 3212 Explorer.EXE Token: SeCreatePagefilePrivilege 3212 Explorer.EXE Token: SeShutdownPrivilege 3212 Explorer.EXE Token: SeCreatePagefilePrivilege 3212 Explorer.EXE Token: SeShutdownPrivilege 3212 Explorer.EXE Token: SeCreatePagefilePrivilege 3212 Explorer.EXE Token: SeShutdownPrivilege 3212 Explorer.EXE Token: SeCreatePagefilePrivilege 3212 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exetemp.exeExplorer.EXEdescription pid process target process PID 1900 wrote to memory of 2020 1900 15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe temp.exe PID 1900 wrote to memory of 2020 1900 15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe temp.exe PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 2020 wrote to memory of 3212 2020 temp.exe Explorer.EXE PID 3212 wrote to memory of 2864 3212 Explorer.EXE sysprep.exe PID 3212 wrote to memory of 2864 3212 Explorer.EXE sysprep.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp.exe"C:\Users\Admin\AppData\Local\Temp\temp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sysprep\sysprep.exe"C:\Windows\system32\sysprep\sysprep.exe" "C:\Users\Admin\AppData\Local\Temp\net.exe" "C:\Windows\system32" ""2⤵
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\temp.exeFilesize
86KB
MD5425609a2c35081730982a01d72a76cbe
SHA164f95fe985a7ef7ee4f396e36279aa31498ac3cc
SHA256e03145fefe7fef82c2a476d7dec03305d7da79cd3c8fe1578177580175febbd3
SHA5126ede1415ac51d588a71bfb5697a599eb777e9530240b7a3524626d2a230bb51017c9b3d05923c5cb41800cca9818f2d99484310390a0425ef8e48984c4c9cfd4
-
memory/3212-62-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB
-
memory/3212-61-0x00000000028D0000-0x00000000028D1000-memory.dmpFilesize
4KB