Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe
-
Size
262KB
-
MD5
1ca75a402f294bb1335ff4eef986e32e
-
SHA1
9750128a6ee6b7f83436d99054113c056a6bfd10
-
SHA256
52b92a536bc1ffea65c2bdb27f51825d74f41926289c7a8d3f65b7400dddd483
-
SHA512
458d488b4c32c68b16a0b4d20167a07329025a72395cb8e6e10f9bde966f452bc58f11aae97e0a638519607b3705449dfed6c5f009918e1a860d139680d40c0a
-
SSDEEP
6144:+TpqGbdkGtc/pIG9puxV3XW27azxQBSfhmBrW9Yg3I/heafx3k:7GbdkGoIG2xVHW2m9QQJgWmg3SheafxU
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
0912-30.exerundll32.exedescription ioc process File created C:\Windows\SysWOW64\drivers\pcidump.sys 0912-30.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 0912-30.exe File created C:\Windows\SysWOW64\drivers\acpiec.sys rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exeope5323.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation ope5323.exe -
Executes dropped EXE 5 IoCs
Processes:
ope5285.exeope5303.exeope5323.exeжþ´úÎÏÅ£.exe0912-30.exepid process 2680 ope5285.exe 4368 ope5303.exe 1116 ope5323.exe 3228 жþ´úÎÏÅ£.exe 3656 0912-30.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exe0912-30.exepid process 972 rundll32.exe 3656 0912-30.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ope5323.exe upx behavioral2/memory/1116-30-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/1116-58-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\жþ´úÎÏÅ£.exe vmprotect behavioral2/memory/3228-48-0x0000000000400000-0x0000000000432000-memory.dmp vmprotect behavioral2/memory/3228-60-0x0000000000400000-0x0000000000432000-memory.dmp vmprotect -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
0912-30.exedescription ioc process File created C:\autorun.inf 0912-30.exe File opened for modification C:\autorun.inf 0912-30.exe File created F:\autorun.inf 0912-30.exe File opened for modification F:\autorun.inf 0912-30.exe -
Drops file in System32 directory 1 IoCs
Processes:
0912-30.exedescription ioc process File created C:\Windows\SysWOW64\func.dll 0912-30.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
жþ´úÎÏÅ£.exepid process 3228 жþ´úÎÏÅ£.exe -
Drops file in Windows directory 1 IoCs
Processes:
0912-30.exedescription ioc process File created C:\Windows\phpi.dll 0912-30.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3184 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4480 3228 WerFault.exe жþ´úÎÏÅ£.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3280 ipconfig.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1552 taskkill.exe 1972 taskkill.exe 4948 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exerundll32.exedescription pid process Token: SeDebugPrivilege 1972 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe Token: SeDebugPrivilege 4948 taskkill.exe Token: SeDebugPrivilege 972 rundll32.exe Token: SeDebugPrivilege 972 rundll32.exe Token: SeDebugPrivilege 972 rundll32.exe Token: SeDebugPrivilege 972 rundll32.exe Token: SeDebugPrivilege 972 rundll32.exe Token: SeDebugPrivilege 972 rundll32.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
ope5285.exepid process 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe 2680 ope5285.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
ope5285.exeope5303.exeжþ´úÎÏÅ£.exepid process 2680 ope5285.exe 4368 ope5303.exe 4368 ope5303.exe 4368 ope5303.exe 3228 жþ´úÎÏÅ£.exe 3228 жþ´úÎÏÅ£.exe 3228 жþ´úÎÏÅ£.exe 3228 жþ´úÎÏÅ£.exe 4368 ope5303.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exeope5323.exe0912-30.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 372 wrote to memory of 2680 372 1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe ope5285.exe PID 372 wrote to memory of 2680 372 1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe ope5285.exe PID 372 wrote to memory of 2680 372 1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe ope5285.exe PID 372 wrote to memory of 4368 372 1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe ope5303.exe PID 372 wrote to memory of 4368 372 1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe ope5303.exe PID 372 wrote to memory of 4368 372 1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe ope5303.exe PID 372 wrote to memory of 1116 372 1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe ope5323.exe PID 372 wrote to memory of 1116 372 1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe ope5323.exe PID 372 wrote to memory of 1116 372 1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe ope5323.exe PID 1116 wrote to memory of 3228 1116 ope5323.exe жþ´úÎÏÅ£.exe PID 1116 wrote to memory of 3228 1116 ope5323.exe жþ´úÎÏÅ£.exe PID 1116 wrote to memory of 3228 1116 ope5323.exe жþ´úÎÏÅ£.exe PID 1116 wrote to memory of 3656 1116 ope5323.exe 0912-30.exe PID 1116 wrote to memory of 3656 1116 ope5323.exe 0912-30.exe PID 1116 wrote to memory of 3656 1116 ope5323.exe 0912-30.exe PID 3656 wrote to memory of 4024 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4024 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4024 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4008 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4008 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4008 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 2768 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 2768 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 2768 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4020 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4020 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4020 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4844 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4844 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 4844 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 5100 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 5100 3656 0912-30.exe cmd.exe PID 3656 wrote to memory of 5100 3656 0912-30.exe cmd.exe PID 4024 wrote to memory of 4796 4024 cmd.exe cacls.exe PID 4024 wrote to memory of 4796 4024 cmd.exe cacls.exe PID 4024 wrote to memory of 4796 4024 cmd.exe cacls.exe PID 4008 wrote to memory of 1676 4008 cmd.exe cacls.exe PID 4008 wrote to memory of 1676 4008 cmd.exe cacls.exe PID 4008 wrote to memory of 1676 4008 cmd.exe cacls.exe PID 4844 wrote to memory of 1552 4844 cmd.exe taskkill.exe PID 4844 wrote to memory of 1552 4844 cmd.exe taskkill.exe PID 4844 wrote to memory of 1552 4844 cmd.exe taskkill.exe PID 4020 wrote to memory of 1972 4020 cmd.exe taskkill.exe PID 4020 wrote to memory of 1972 4020 cmd.exe taskkill.exe PID 4020 wrote to memory of 1972 4020 cmd.exe taskkill.exe PID 5100 wrote to memory of 4948 5100 cmd.exe taskkill.exe PID 5100 wrote to memory of 4948 5100 cmd.exe taskkill.exe PID 5100 wrote to memory of 4948 5100 cmd.exe taskkill.exe PID 2768 wrote to memory of 3184 2768 cmd.exe sc.exe PID 2768 wrote to memory of 3184 2768 cmd.exe sc.exe PID 2768 wrote to memory of 3184 2768 cmd.exe sc.exe PID 3656 wrote to memory of 972 3656 0912-30.exe rundll32.exe PID 3656 wrote to memory of 972 3656 0912-30.exe rundll32.exe PID 3656 wrote to memory of 972 3656 0912-30.exe rundll32.exe PID 3656 wrote to memory of 3280 3656 0912-30.exe ipconfig.exe PID 3656 wrote to memory of 3280 3656 0912-30.exe ipconfig.exe PID 3656 wrote to memory of 3280 3656 0912-30.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ope5285.exe"C:\Users\Admin\AppData\Local\Temp\ope5285.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ope5303.exe"C:\Users\Admin\AppData\Local\Temp\ope5303.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ope5323.exe"C:\Users\Admin\AppData\Local\Temp\ope5323.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\жþ´úÎÏÅ£.exe"C:\Users\Admin\AppData\Local\Temp\жþ´úÎÏÅ£.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 15244⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\0912-30.exe"C:\Users\Admin\AppData\Local\Temp\0912-30.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows /e /p everyone:f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows /e /p everyone:f5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sc config ekrn start= disabled4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ekrn.exe /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ekrn.exe /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im egui.exe /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im egui.exe /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ScanFrm.exe /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ScanFrm.exe /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe func.dll, droqp4⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3228 -ip 32281⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0912-30.exeFilesize
90KB
MD59f039b4fdb361f6e714017dadbc33b31
SHA166188db5777bde28b7dd5c42a8d2b33525f6efee
SHA2561c7573392dea90a478b55cd016a71b0860d6cf806c48aa3311515a485d2225ea
SHA51289f2c5fbd97c2484a148732983a8da490c5e68cc39c7da858f7c6ba3fd36cae0d1091d076c040292db4a78fb0758d55905a7d4f85a7178712aedac6b1fc0d099
-
C:\Users\Admin\AppData\Local\Temp\ope5285.exeFilesize
48KB
MD5061ebda084967cfc3f4b7b82cdb2f53a
SHA16c1b07266e48c897f2f527eee6fb69c1deb15c3d
SHA256523ab56abe84299312c4a9ae3f8f51ac2c94945b645ab7ce4b71ca70e53ac54a
SHA512367ce84333e96793bd05433beac486742ce8dec64b4f523b5d801f17c5e73e525887ec517c24d1473cc02d6dc7b9e8916fca583d607640d345c1ac7a942727f2
-
C:\Users\Admin\AppData\Local\Temp\ope5303.exeFilesize
13KB
MD5abad1b482c43c63f61b6c8339d28fe0b
SHA1422ad639cc3a7e66b07cfef8d70f2c9ada696b6a
SHA256fce8ca5a4e9e2c4e4217e88c13409dd1dcc45fe21694bffc8a896c59dc569846
SHA512a8f9bab671b59eaf65bf40247e782a2378c08f187d71819c1648f3f3ddfcab15376e88f583477aa04aa755d0ca2146dab4241e5224883d6e364584139b00b59e
-
C:\Users\Admin\AppData\Local\Temp\ope5323.exeFilesize
176KB
MD5a3aac54092a09c478d154887f17811d9
SHA1f557e12c1902ac1f4d4eb9ae97190b0900c1d757
SHA25607a83cef4c0bf88e77e782a6b816266f1859260903ca1838cb49276cd66fbc57
SHA5120ad74cd8bdf1e5d9f0bfd37a2f4b9830bffdf21dabdba9c4e04298d5098dd6046af8278b4320c4f17384de3bb7f84388589578177d35a99d1a633fa4ec2308a3
-
C:\Users\Admin\AppData\Local\Temp\жþ´úÎÏÅ£.exeFilesize
124KB
MD5d0c97fa3759353b1dac28b4e8b4149c4
SHA1f58bb65145a51a2f8865cddc7b46f32f5978f4af
SHA25619b127adc0794859711e12407ed9858a760808face340caea761750afaaf90e1
SHA5125223dc7798a04c4673b46235e150bc4715728b50911935db28d52f6974f062882881ef1737364b6af48ef234749a4c81c6061c350ad0469cc7e291db881fccb5
-
C:\Windows\SysWOW64\func.dllFilesize
37KB
MD56cd118587034689dfa6fe497415001a6
SHA19dbcc3ac6e25201084abebc0e75109b364164102
SHA2569afa20447f2b2ebdd08d7372f4b31e20952fdbfa39088d8108769e32c86ee4e4
SHA51265330eb67cf56566202b25d42e890770ded5460c5f8dd4788d3816d87b728c40b9d0bd341bf2e4fb3bacb5519d593ce34fc0140eae6d4cce35de1bea59b67fa4
-
C:\Windows\phpi.dllFilesize
44KB
MD54adfbb290252797fc156fe443a17dba4
SHA15a95598777a4751596e95dd04f9318fd84da8026
SHA256c602dfdd436d53f4776ad3723737c5f8430a314f24ac124e33421388b58a4739
SHA51254570fd0f2385bb0cf96536d5dd0c7f62a82b82853c08d2b2a86859a4365c5de688ee8bc3501838ed87692e059f3b9972b0f810adc32d0806ff13db2caf56a2e
-
memory/372-0-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/372-33-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/1116-30-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1116-58-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3228-48-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3228-60-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB