Analysis
-
max time kernel
138s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 23:05
Behavioral task
behavioral1
Sample
1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exe
-
Size
452KB
-
MD5
1dcad7c8f56207b2c423353f0c328755
-
SHA1
d7e3924ca83e1a2355f3f1e2816dfd417892afc2
-
SHA256
4e6531aa7f8fdb4c21f0559b2b7951afbc2624e9a69a0588c1633508a173ab38
-
SHA512
af0deb1fd5cbbf2a925143d87b9d3acb7feec6735ec13d6d7be812af9268419d02080318ed1f48a4ad8f301c8f8f82496426abe2698c7dba3bff6fe248afc285
-
SSDEEP
6144:7btQmb25Zh18hqJbDqSB7Lvq2XsjYiVmOf7Yp4jOa9UpE:7mmCVRtPvq2+d/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
temp.exepid process 624 temp.exe -
Drops file in System32 directory 4 IoCs
Processes:
sysprep.exedescription ioc process File opened for modification C:\Windows\system32\sysprep\Panther\setupact.log sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\setuperr.log sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\diagerr.xml sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\diagwrn.xml sysprep.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
temp.exepid process 624 temp.exe 624 temp.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exetemp.exeExplorer.EXEdescription pid process target process PID 3620 wrote to memory of 624 3620 1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exe temp.exe PID 3620 wrote to memory of 624 3620 1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exe temp.exe PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 624 wrote to memory of 3608 624 temp.exe Explorer.EXE PID 3608 wrote to memory of 1576 3608 Explorer.EXE sysprep.exe PID 3608 wrote to memory of 1576 3608 Explorer.EXE sysprep.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1dcad7c8f56207b2c423353f0c328755_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp.exe"C:\Users\Admin\AppData\Local\Temp\temp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sysprep\sysprep.exe"C:\Windows\system32\sysprep\sysprep.exe" "C:\Users\Admin\AppData\Local\Temp\net.exe" "C:\Windows\system32" ""2⤵
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\temp.exeFilesize
86KB
MD5425609a2c35081730982a01d72a76cbe
SHA164f95fe985a7ef7ee4f396e36279aa31498ac3cc
SHA256e03145fefe7fef82c2a476d7dec03305d7da79cd3c8fe1578177580175febbd3
SHA5126ede1415ac51d588a71bfb5697a599eb777e9530240b7a3524626d2a230bb51017c9b3d05923c5cb41800cca9818f2d99484310390a0425ef8e48984c4c9cfd4
-
memory/3608-62-0x0000000002B00000-0x0000000002B01000-memory.dmpFilesize
4KB
-
memory/3608-61-0x00000000029F0000-0x00000000029F1000-memory.dmpFilesize
4KB