Analysis
-
max time kernel
137s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 12:42
Behavioral task
behavioral1
Sample
1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe
-
Size
719KB
-
MD5
1b579f2e37e93b0398307d528f42d513
-
SHA1
b7ec5a39c26ffc01befd58944e4f8f3569eec5d0
-
SHA256
6c5d5c3735db1e07487f9aa58f316f3cdea65b36895c5c22b4d50e972419ec91
-
SHA512
b2a910269d3da8cc68aa4d28d351f919e08d59f0fbcd0080507e9474de948364fc4dd0aa70bc422b08a9ba754bbd04fdaab8650ad2e30be435a85e2412d05f1f
-
SSDEEP
12288:u8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1r/:7UKoN0bUxgGa/pfBHDb+y1L
Malware Config
Signatures
-
Disables RegEdit via registry modification 2 IoCs
Processes:
1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2916 attrib.exe 4812 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/1200-0-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/1200-3-0x0000000000400000-0x00000000004B6000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exedescription pid process target process PID 1200 set thread context of 2564 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeSecurityPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeSystemtimePrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeBackupPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeRestorePrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeShutdownPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeDebugPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeUndockPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeManageVolumePrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeImpersonatePrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: 33 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: 34 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: 35 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: 36 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2564 iexplore.exe Token: SeSecurityPrivilege 2564 iexplore.exe Token: SeTakeOwnershipPrivilege 2564 iexplore.exe Token: SeLoadDriverPrivilege 2564 iexplore.exe Token: SeSystemProfilePrivilege 2564 iexplore.exe Token: SeSystemtimePrivilege 2564 iexplore.exe Token: SeProfSingleProcessPrivilege 2564 iexplore.exe Token: SeIncBasePriorityPrivilege 2564 iexplore.exe Token: SeCreatePagefilePrivilege 2564 iexplore.exe Token: SeBackupPrivilege 2564 iexplore.exe Token: SeRestorePrivilege 2564 iexplore.exe Token: SeShutdownPrivilege 2564 iexplore.exe Token: SeDebugPrivilege 2564 iexplore.exe Token: SeSystemEnvironmentPrivilege 2564 iexplore.exe Token: SeChangeNotifyPrivilege 2564 iexplore.exe Token: SeRemoteShutdownPrivilege 2564 iexplore.exe Token: SeUndockPrivilege 2564 iexplore.exe Token: SeManageVolumePrivilege 2564 iexplore.exe Token: SeImpersonatePrivilege 2564 iexplore.exe Token: SeCreateGlobalPrivilege 2564 iexplore.exe Token: 33 2564 iexplore.exe Token: 34 2564 iexplore.exe Token: 35 2564 iexplore.exe Token: 36 2564 iexplore.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
1b579f2e37e93b0398307d528f42d513_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 1200 wrote to memory of 4440 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe cmd.exe PID 1200 wrote to memory of 4440 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe cmd.exe PID 1200 wrote to memory of 4440 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe cmd.exe PID 1200 wrote to memory of 4816 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe cmd.exe PID 1200 wrote to memory of 4816 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe cmd.exe PID 1200 wrote to memory of 4816 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe cmd.exe PID 1200 wrote to memory of 2564 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe iexplore.exe PID 1200 wrote to memory of 2564 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe iexplore.exe PID 1200 wrote to memory of 2564 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe iexplore.exe PID 1200 wrote to memory of 2564 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe iexplore.exe PID 1200 wrote to memory of 2564 1200 1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe iexplore.exe PID 4440 wrote to memory of 2916 4440 cmd.exe attrib.exe PID 4440 wrote to memory of 2916 4440 cmd.exe attrib.exe PID 4440 wrote to memory of 2916 4440 cmd.exe attrib.exe PID 4816 wrote to memory of 4812 4816 cmd.exe attrib.exe PID 4816 wrote to memory of 4812 4816 cmd.exe attrib.exe PID 4816 wrote to memory of 4812 4816 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2916 attrib.exe 4812 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe"1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1b579f2e37e93b0398307d528f42d513_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Disables RegEdit via registry modification
- Suspicious use of AdjustPrivilegeToken