Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 11:05
Static task
static1
Behavioral task
behavioral1
Sample
1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
1f18839709ec59ce1b42254d69810bdc
-
SHA1
b4c4dd3003469a6f30a749cdadbca651684e95aa
-
SHA256
57ea44e7ea896880c5b5326a00cf6527c77ad7c6380439163e11212613127d93
-
SHA512
2ddf8a10c0aee436f0141139285f1c837b08ebae6d9022791680c0e528eaedaed1946335e37fb3418c9b37e8ba8ea8f46484e292989eba5fbc795eb4a732db84
-
SSDEEP
24576:GiysXgXVrDbWEQeboNgj2ERfspk7MheYmv2LYmv2:VjXgXVHbFvkDo0pk7M+vev
Malware Config
Extracted
latentbot
slavezbyjay.zapto.org
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
ǢƐǢǍƴ.exesvchost.exepid process 3688 ǢƐǢǍƴ.exe 4660 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ǢƐǢǍƴ.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MsMpEng.exe" ǢƐǢǍƴ.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exedescription pid process target process PID 1524 set thread context of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exesvchost.exedescription pid process Token: SeDebugPrivilege 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4660 svchost.exe Token: SeSecurityPrivilege 4660 svchost.exe Token: SeTakeOwnershipPrivilege 4660 svchost.exe Token: SeLoadDriverPrivilege 4660 svchost.exe Token: SeSystemProfilePrivilege 4660 svchost.exe Token: SeSystemtimePrivilege 4660 svchost.exe Token: SeProfSingleProcessPrivilege 4660 svchost.exe Token: SeIncBasePriorityPrivilege 4660 svchost.exe Token: SeCreatePagefilePrivilege 4660 svchost.exe Token: SeBackupPrivilege 4660 svchost.exe Token: SeRestorePrivilege 4660 svchost.exe Token: SeShutdownPrivilege 4660 svchost.exe Token: SeDebugPrivilege 4660 svchost.exe Token: SeSystemEnvironmentPrivilege 4660 svchost.exe Token: SeChangeNotifyPrivilege 4660 svchost.exe Token: SeRemoteShutdownPrivilege 4660 svchost.exe Token: SeUndockPrivilege 4660 svchost.exe Token: SeManageVolumePrivilege 4660 svchost.exe Token: SeImpersonatePrivilege 4660 svchost.exe Token: SeCreateGlobalPrivilege 4660 svchost.exe Token: 33 4660 svchost.exe Token: 34 4660 svchost.exe Token: 35 4660 svchost.exe Token: 36 4660 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 4660 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.execsc.exedescription pid process target process PID 1524 wrote to memory of 1448 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe csc.exe PID 1524 wrote to memory of 1448 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe csc.exe PID 1524 wrote to memory of 1448 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe csc.exe PID 1448 wrote to memory of 4844 1448 csc.exe cvtres.exe PID 1448 wrote to memory of 4844 1448 csc.exe cvtres.exe PID 1448 wrote to memory of 4844 1448 csc.exe cvtres.exe PID 1524 wrote to memory of 3688 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe ǢƐǢǍƴ.exe PID 1524 wrote to memory of 3688 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe ǢƐǢǍƴ.exe PID 1524 wrote to memory of 3688 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe ǢƐǢǍƴ.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe PID 1524 wrote to memory of 4660 1524 1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f18839709ec59ce1b42254d69810bdc_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\usdo7qnn.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4353.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4352.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ǢƐǢǍƴ.exe"C:\Users\Admin\AppData\Local\Temp\ǢƐǢǍƴ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES4353.tmpFilesize
1KB
MD5928c160fb48cb77353a62cb64bd7bb42
SHA163df8d4bd0a5a19b2e9224d60bb459066b1fea79
SHA256c1cf5f6de7948473f9e5f111ed54410ddaac70e54727f38b94a931646adc8828
SHA5122aa6fa38771511cef6acf44c36f2acd66474fda6c262ce8dbdfb7b39cd84e3b1e4870ae19d2f88ace6373463554d8a86b401abb8efb3d702f1f5b1bbeb1a9205
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
C:\Users\Admin\AppData\Local\Temp\ǢƐǢǍƴ.exeFilesize
4KB
MD590a10d96cb223d406f3eddae750d41ca
SHA189fe3f8fde4c60be4dc12cc28556906d7fb695ec
SHA2563952836b6255b5445a8f110d76bb242ad30480c2ee7e70b3501c00985b79e2f3
SHA512931914319bef79bd540a565d82b82a541d328a85468cfdbb20a1d493f86cd20e56e824555719d605212a6cad7a23b90fccdb5cd03c21946e988d7a19b039034f
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC4352.tmpFilesize
636B
MD51ed09b8d8947d389be1439030754d340
SHA12b7836da28b9148262c55ec9f57eae5776bf48e6
SHA25669e73c7d2b18decef75a50cdd4a2727494113429a812165fb45593df92056254
SHA51261ab17f3661f6e222bc81139b55c9a9cf8f2a9802c188a6c2b6e7b7ac6625b732008082ffcc317881584b69b43d87fb02db7108944bc3ce9b0c2f3b083013312
-
\??\c:\Users\Admin\AppData\Local\Temp\usdo7qnn.0.csFilesize
1KB
MD5e1c06cbe9e8d137d0a90f16bef0d6fef
SHA1fbf77e7a3c6c69967e3378ff31544e0af0b8b9af
SHA2566c10b5abbab4f514b740a3345d64fea27a78e63a9e33eac4e6658bf3cdbf24ec
SHA51251c39e2525d82ec3376f1edc282f28600aedb601d68bd680d8a20524e6452259ae01777085f8a7701afef33ac69e23a70e15ee96169dcc80675974f3fbe07eb5
-
\??\c:\Users\Admin\AppData\Local\Temp\usdo7qnn.cmdlineFilesize
263B
MD5209e6ef40587d8488caefa15f1372c9f
SHA1e701f6766d9cf207ea07a3e1012357cf986632e2
SHA25654bddeb03e684c456656a4f7f45ff23304d4b9faa4d47538d247652cf5a1de5d
SHA5121016fcec7ef905bc9644e998fea8e5af917d27502a7f3264aa961313b8590ae723cf11539e5d1b28078e879dc3e35090e66b99b5ee974eaefef40eaf18cfbf6c
-
memory/1448-15-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/1448-10-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/1524-38-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/1524-1-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/1524-2-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/1524-0-0x0000000075072000-0x0000000075073000-memory.dmpFilesize
4KB
-
memory/3688-21-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/3688-31-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/3688-35-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/4660-23-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-43-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-29-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-32-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-36-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-33-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-34-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-39-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-40-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-41-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-42-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-27-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-44-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-45-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-46-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-47-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-48-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-49-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-50-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-51-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/4660-52-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB