Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
-
Size
630KB
-
MD5
1f36ae9c549463f85413f1f79c0c5886
-
SHA1
d4c413853c03dd17acaada4c1d46195e57cb9017
-
SHA256
351b67cd53a80350ea7d34f069e85a2e4cb4d8050ef00f1e4a994f04326c78af
-
SHA512
e54ac588bcba670fe0d3dbbf21768cfa2c1af799c4fc9d2f16d01efbb0697fbf63eaa7ae16ac26e1ef31a1cb247eb6ce63f923dab0ab0d9efe9d3db20852b76c
-
SSDEEP
12288:v5kJ7Mj7pvwIQRdVoZ9NVlfndzfiX6gIGPQG+U:v5C4jVvW89N7fndzfpgFQG+
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/4824-10-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-13-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-12-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-14-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-17-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-16-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-23-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-25-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-30-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4212-39-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-43-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-45-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/4824-50-0x0000000000400000-0x00000000004EB000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jdx = "C:\\Users\\Admin\\AppData\\Roaming\\jdx.exe" WScript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exedescription pid process target process PID 1388 set thread context of 4824 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 set thread context of 4212 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exepid process 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.execsc.execsc.exedescription pid process Token: SeDebugPrivilege 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4824 csc.exe Token: SeSecurityPrivilege 4824 csc.exe Token: SeTakeOwnershipPrivilege 4824 csc.exe Token: SeLoadDriverPrivilege 4824 csc.exe Token: SeSystemProfilePrivilege 4824 csc.exe Token: SeSystemtimePrivilege 4824 csc.exe Token: SeProfSingleProcessPrivilege 4824 csc.exe Token: SeIncBasePriorityPrivilege 4824 csc.exe Token: SeCreatePagefilePrivilege 4824 csc.exe Token: SeBackupPrivilege 4824 csc.exe Token: SeRestorePrivilege 4824 csc.exe Token: SeShutdownPrivilege 4824 csc.exe Token: SeDebugPrivilege 4824 csc.exe Token: SeSystemEnvironmentPrivilege 4824 csc.exe Token: SeChangeNotifyPrivilege 4824 csc.exe Token: SeRemoteShutdownPrivilege 4824 csc.exe Token: SeUndockPrivilege 4824 csc.exe Token: SeManageVolumePrivilege 4824 csc.exe Token: SeImpersonatePrivilege 4824 csc.exe Token: SeCreateGlobalPrivilege 4824 csc.exe Token: 33 4824 csc.exe Token: 34 4824 csc.exe Token: 35 4824 csc.exe Token: 36 4824 csc.exe Token: SeIncreaseQuotaPrivilege 4212 csc.exe Token: SeSecurityPrivilege 4212 csc.exe Token: SeTakeOwnershipPrivilege 4212 csc.exe Token: SeLoadDriverPrivilege 4212 csc.exe Token: SeSystemProfilePrivilege 4212 csc.exe Token: SeSystemtimePrivilege 4212 csc.exe Token: SeProfSingleProcessPrivilege 4212 csc.exe Token: SeIncBasePriorityPrivilege 4212 csc.exe Token: SeCreatePagefilePrivilege 4212 csc.exe Token: SeBackupPrivilege 4212 csc.exe Token: SeRestorePrivilege 4212 csc.exe Token: SeShutdownPrivilege 4212 csc.exe Token: SeDebugPrivilege 4212 csc.exe Token: SeSystemEnvironmentPrivilege 4212 csc.exe Token: SeChangeNotifyPrivilege 4212 csc.exe Token: SeRemoteShutdownPrivilege 4212 csc.exe Token: SeUndockPrivilege 4212 csc.exe Token: SeManageVolumePrivilege 4212 csc.exe Token: SeImpersonatePrivilege 4212 csc.exe Token: SeCreateGlobalPrivilege 4212 csc.exe Token: 33 4212 csc.exe Token: 34 4212 csc.exe Token: 35 4212 csc.exe Token: 36 4212 csc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exedescription pid process target process PID 1388 wrote to memory of 1700 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cmd.exe PID 1388 wrote to memory of 1700 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cmd.exe PID 1388 wrote to memory of 1700 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cmd.exe PID 1388 wrote to memory of 1160 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe WScript.exe PID 1388 wrote to memory of 1160 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe WScript.exe PID 1388 wrote to memory of 1160 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe WScript.exe PID 1388 wrote to memory of 4824 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4824 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4824 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4824 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4824 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4824 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4824 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4824 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4212 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4212 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4212 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4212 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4212 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4212 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4212 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe PID 1388 wrote to memory of 4212 1388 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe csc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cd C:\Users\Admin\AppData\Roaming\ &&ren *.zgy *.exe && exit2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs"2⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MTemp104.vbsFilesize
429B
MD5d4d3eb4e97c7387695972b24915e7530
SHA1087ba0cdd68b4cd6bae40b81935c0d273a1a97bd
SHA256f5b3191cb17353ca70f772b6208d26d04ba18076a709c20990836f75ee27a638
SHA512a9709a5552d7013fe28bfc1d3dc8479108377a14c1b131390747a6a80e25def6161f79fa8a9bd2179ee70f9dd1a212d940a28e3bd8dbd5165b552a191e1de8ac
-
C:\Users\Admin\AppData\Roaming\jdx.zgyFilesize
630KB
MD51f36ae9c549463f85413f1f79c0c5886
SHA1d4c413853c03dd17acaada4c1d46195e57cb9017
SHA256351b67cd53a80350ea7d34f069e85a2e4cb4d8050ef00f1e4a994f04326c78af
SHA512e54ac588bcba670fe0d3dbbf21768cfa2c1af799c4fc9d2f16d01efbb0697fbf63eaa7ae16ac26e1ef31a1cb247eb6ce63f923dab0ab0d9efe9d3db20852b76c
-
memory/1388-29-0x0000000001A70000-0x0000000001A80000-memory.dmpFilesize
64KB
-
memory/1388-1-0x0000000075280000-0x0000000075831000-memory.dmpFilesize
5.7MB
-
memory/1388-22-0x0000000075280000-0x0000000075831000-memory.dmpFilesize
5.7MB
-
memory/1388-21-0x0000000075282000-0x0000000075283000-memory.dmpFilesize
4KB
-
memory/1388-38-0x0000000075280000-0x0000000075831000-memory.dmpFilesize
5.7MB
-
memory/1388-0-0x0000000075282000-0x0000000075283000-memory.dmpFilesize
4KB
-
memory/1388-28-0x0000000001A70000-0x0000000001A80000-memory.dmpFilesize
64KB
-
memory/1388-18-0x0000000001A70000-0x0000000001A80000-memory.dmpFilesize
64KB
-
memory/1388-27-0x0000000001A70000-0x0000000001A80000-memory.dmpFilesize
64KB
-
memory/1388-24-0x0000000075280000-0x0000000075831000-memory.dmpFilesize
5.7MB
-
memory/1388-19-0x0000000001A70000-0x0000000001A80000-memory.dmpFilesize
64KB
-
memory/1388-20-0x0000000001A70000-0x0000000001A80000-memory.dmpFilesize
64KB
-
memory/1388-2-0x0000000075280000-0x0000000075831000-memory.dmpFilesize
5.7MB
-
memory/4212-39-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-14-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-16-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-25-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-17-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-50-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-12-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-13-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-10-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-30-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-43-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-45-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/4824-23-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB