Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
-
Size
351KB
-
MD5
20582340f93fdefaaeb114ffd7f659e2
-
SHA1
2b298bc579a805f020d0f8c2a4ec8dafada61417
-
SHA256
e37938245442bf4c1114da250f93cb5cc2fea5c35e50883b819f3c8afc4ab363
-
SHA512
31bd2f9061d6026f9cd8ada6f57e07a4c1c4db7ee7ff9bb279cd6659b848f23917e264cf65af31fb3ce5f592a2a6358b931341d0e660f9f82c525379834bbb5d
-
SSDEEP
6144:kOzzBxDMAYloj1/L8YEAQwgG5hOm3Y/eUObRPlV:VvBxDMAzjN4YEAFMmo/AbRP
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4452 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
UpdateGoogle.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b11d4cad7102d66f494861052a39573.exe UpdateGoogle.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b11d4cad7102d66f494861052a39573.exe UpdateGoogle.exe -
Executes dropped EXE 2 IoCs
Processes:
UpdateGoogle.exeUpdateGoogle.exepid process 4932 UpdateGoogle.exe 2552 UpdateGoogle.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/432-6-0x0000000006DD0000-0x0000000006DF8000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
UpdateGoogle.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b11d4cad7102d66f494861052a39573 = "\"C:\\Users\\Admin\\AppData\\Roaming\\UpdateGoogle.exe\" .." UpdateGoogle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4b11d4cad7102d66f494861052a39573 = "\"C:\\Users\\Admin\\AppData\\Roaming\\UpdateGoogle.exe\" .." UpdateGoogle.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exedescription pid process target process PID 432 set thread context of 1860 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 4932 set thread context of 2552 4932 UpdateGoogle.exe UpdateGoogle.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exepid process 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 4932 UpdateGoogle.exe 4932 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe 2552 UpdateGoogle.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exedescription pid process Token: SeDebugPrivilege 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe Token: SeDebugPrivilege 4932 UpdateGoogle.exe Token: SeDebugPrivilege 2552 UpdateGoogle.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exepid process 1860 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 2552 UpdateGoogle.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exedescription pid process target process PID 432 wrote to memory of 1860 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 432 wrote to memory of 1860 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 432 wrote to memory of 1860 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 432 wrote to memory of 1860 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 432 wrote to memory of 1860 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 432 wrote to memory of 1860 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 432 wrote to memory of 1860 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 432 wrote to memory of 1860 432 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 1860 wrote to memory of 4932 1860 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe UpdateGoogle.exe PID 1860 wrote to memory of 4932 1860 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe UpdateGoogle.exe PID 1860 wrote to memory of 4932 1860 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe UpdateGoogle.exe PID 4932 wrote to memory of 2552 4932 UpdateGoogle.exe UpdateGoogle.exe PID 4932 wrote to memory of 2552 4932 UpdateGoogle.exe UpdateGoogle.exe PID 4932 wrote to memory of 2552 4932 UpdateGoogle.exe UpdateGoogle.exe PID 4932 wrote to memory of 2552 4932 UpdateGoogle.exe UpdateGoogle.exe PID 4932 wrote to memory of 2552 4932 UpdateGoogle.exe UpdateGoogle.exe PID 4932 wrote to memory of 2552 4932 UpdateGoogle.exe UpdateGoogle.exe PID 4932 wrote to memory of 2552 4932 UpdateGoogle.exe UpdateGoogle.exe PID 4932 wrote to memory of 2552 4932 UpdateGoogle.exe UpdateGoogle.exe PID 2552 wrote to memory of 4452 2552 UpdateGoogle.exe netsh.exe PID 2552 wrote to memory of 4452 2552 UpdateGoogle.exe netsh.exe PID 2552 wrote to memory of 4452 2552 UpdateGoogle.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe" "UpdateGoogle.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe.logFilesize
1KB
MD58c199513f790ccc3d3fd67afc767a186
SHA1b0bd5e13f9644f1cd15f80f154ac7b4af6e19a8c
SHA256765a41772698b63bd9ab76b9ddf393271bd4a27f122b481a3bdd84977fdeaf6e
SHA5121b7217845ce9606fdcecd2d262a7d45f70b6920cd9ac3cd26dab6a05cf3104908db1afb9934383ffad79d7beaf9632005624e6699f16913d0cdd3edc13ee13fe
-
C:\Users\Admin\AppData\Roaming\UpdateGoogle.exeFilesize
351KB
MD520582340f93fdefaaeb114ffd7f659e2
SHA12b298bc579a805f020d0f8c2a4ec8dafada61417
SHA256e37938245442bf4c1114da250f93cb5cc2fea5c35e50883b819f3c8afc4ab363
SHA51231bd2f9061d6026f9cd8ada6f57e07a4c1c4db7ee7ff9bb279cd6659b848f23917e264cf65af31fb3ce5f592a2a6358b931341d0e660f9f82c525379834bbb5d
-
memory/432-10-0x00000000076F0000-0x0000000007704000-memory.dmpFilesize
80KB
-
memory/432-11-0x0000000009CE0000-0x0000000009CE6000-memory.dmpFilesize
24KB
-
memory/432-4-0x00000000059D0000-0x0000000005A6C000-memory.dmpFilesize
624KB
-
memory/432-5-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/432-6-0x0000000006DD0000-0x0000000006DF8000-memory.dmpFilesize
160KB
-
memory/432-7-0x0000000006E80000-0x0000000006EE6000-memory.dmpFilesize
408KB
-
memory/432-8-0x0000000006EF0000-0x0000000006F12000-memory.dmpFilesize
136KB
-
memory/432-9-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/432-0-0x000000007486E000-0x000000007486F000-memory.dmpFilesize
4KB
-
memory/432-3-0x0000000005930000-0x00000000059C2000-memory.dmpFilesize
584KB
-
memory/432-1-0x0000000000EA0000-0x0000000000EFE000-memory.dmpFilesize
376KB
-
memory/432-15-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/432-2-0x0000000005E40000-0x00000000063E4000-memory.dmpFilesize
5.6MB
-
memory/1860-16-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/1860-17-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/1860-12-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1860-29-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4932-30-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4932-35-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB