Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 14:16
Static task
static1
Behavioral task
behavioral1
Sample
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe
-
Size
659KB
-
MD5
1a706d5383c7092d51ca8e7f12530649
-
SHA1
4aa83450fdc8e594697ea541518949c2a04bb7b0
-
SHA256
81d522b210d792d32e3d44735e3c7c39a57eae172f5520fa4b55ed1007efdea0
-
SHA512
406626bb597e60325fcd168eeaca763b27cf7bd206ecf3cc2a253d54a80934d0b10616a3cb92fd67c91bfa04417ede23c07054f0d3a8d87f210cc5d958330cf4
-
SSDEEP
12288:d5RdOR3PHKhGLxe0DA8PSTRK8AYHv1L8qKtZTln7NEakAR8+JU/w:H3OR3PHKux7DA8PMfrHUtZhnxEa9R8tY
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.Net CLR\Parameters\ServiceDll = "C:\\Windows\\system32\\e57d522.dll" 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Loads dropped DLL 3 IoCs
Processes:
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exesvchost.exerundll32.exepid process 1564 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe 3284 svchost.exe 3224 rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/1564-13-0x00000000755F0000-0x0000000075779000-memory.dmp vmprotect C:\Windows\SysWOW64\e57d522.dll vmprotect behavioral2/memory/3284-19-0x00000000755F0000-0x0000000075779000-memory.dmp vmprotect behavioral2/memory/3224-21-0x00000000755F0000-0x0000000075779000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
Processes:
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\e57d522.dll 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3224 rundll32.exe 3224 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exedescription pid process Token: SeIncBasePriorityPrivilege 1564 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
svchost.exe1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exedescription pid process target process PID 3284 wrote to memory of 3224 3284 svchost.exe rundll32.exe PID 3284 wrote to memory of 3224 3284 svchost.exe rundll32.exe PID 3284 wrote to memory of 3224 3284 svchost.exe rundll32.exe PID 1564 wrote to memory of 3212 1564 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe cmd.exe PID 1564 wrote to memory of 3212 1564 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe cmd.exe PID 1564 wrote to memory of 3212 1564 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\1A706D~1.EXE" > nul2⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ".Net CLR"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\e57d522.dll, Launch2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\e57d522.dllFilesize
371KB
MD5e4060e2410ea64e00f85d83bfb137bfb
SHA1f230ecb9b0d8bc88ec0f82ce74c80143b2e5458a
SHA256fe30c3f8c5e47e7a9b51404357dd96281062f08ff6a2230f1edf5f807bd43c75
SHA51283a518435605bd7b7150539061dfb8b63da24cbc59c9d4db909120314e4eae24a0cb1e675b52c4567365f261d9bc6cda54a6a901b243d40b0f3238ad1e3175dd
-
memory/1564-6-0x0000000000400000-0x0000000000516000-memory.dmpFilesize
1.1MB
-
memory/1564-9-0x0000000002130000-0x0000000002220000-memory.dmpFilesize
960KB
-
memory/1564-14-0x0000000000401000-0x0000000000408000-memory.dmpFilesize
28KB
-
memory/1564-13-0x00000000755F0000-0x0000000075779000-memory.dmpFilesize
1.5MB
-
memory/1564-4-0x0000000000400000-0x0000000000516000-memory.dmpFilesize
1.1MB
-
memory/1564-7-0x0000000000400000-0x0000000000516000-memory.dmpFilesize
1.1MB
-
memory/1564-5-0x0000000000400000-0x0000000000516000-memory.dmpFilesize
1.1MB
-
memory/1564-0-0x0000000000400000-0x0000000000516000-memory.dmpFilesize
1.1MB
-
memory/1564-12-0x0000000002280000-0x0000000002420000-memory.dmpFilesize
1.6MB
-
memory/1564-3-0x0000000000740000-0x0000000000780000-memory.dmpFilesize
256KB
-
memory/1564-2-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/1564-1-0x0000000000740000-0x0000000000780000-memory.dmpFilesize
256KB
-
memory/1564-24-0x0000000000400000-0x0000000000516000-memory.dmpFilesize
1.1MB
-
memory/1564-25-0x0000000000740000-0x0000000000780000-memory.dmpFilesize
256KB
-
memory/3224-21-0x00000000755F0000-0x0000000075779000-memory.dmpFilesize
1.5MB
-
memory/3284-19-0x00000000755F0000-0x0000000075779000-memory.dmpFilesize
1.5MB