Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe
-
Size
385KB
-
MD5
254a81df0a4b19b8d2a9e573009ce1ef
-
SHA1
e8922dd8597e7db5389eca4b6befe6baacbd2fc4
-
SHA256
52d0aa400d6eb0f89b58f38646ba688d66d43d3242f459ef500ddf7876288335
-
SHA512
b4b735269c07c4b34fde450469a4ec072904de8c1a71fa466e5d2fa9f1887f7d6935809f4eb342f562456c64fd87c7e804d86e54bd9e4b51393f9391f998f980
-
SSDEEP
12288:PMMMMMMMMMMMMMMMrMMMMMMMMMMMMMMMMXnTppc6o7MMMMMMMMMMMMMMVGX3jaA2:PMMMMMMMMMMMMMMMrMMMMMMMMMMMMMMq
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3980 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exeSoftware.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Software.exe -
Executes dropped EXE 2 IoCs
Processes:
Software.exeserver.exepid process 2716 Software.exe 3592 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b87bffad2953810075bbb7eb63d0a3f3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b87bffad2953810075bbb7eb63d0a3f3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe Token: 33 3592 server.exe Token: SeIncBasePriorityPrivilege 3592 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exeSoftware.exeserver.exedescription pid process target process PID 5012 wrote to memory of 2716 5012 254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe Software.exe PID 5012 wrote to memory of 2716 5012 254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe Software.exe PID 5012 wrote to memory of 2716 5012 254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe Software.exe PID 2716 wrote to memory of 3592 2716 Software.exe server.exe PID 2716 wrote to memory of 3592 2716 Software.exe server.exe PID 2716 wrote to memory of 3592 2716 Software.exe server.exe PID 3592 wrote to memory of 3980 3592 server.exe netsh.exe PID 3592 wrote to memory of 3980 3592 server.exe netsh.exe PID 3592 wrote to memory of 3980 3592 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Software.exe"C:\Users\Admin\AppData\Local\Temp\Software.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Software.exeFilesize
23KB
MD5d8daa94368db99b328de95023b2134dd
SHA15c6f5d8a1d4503f54d17d75d01d048f9ef1e40e0
SHA25638114d680b74f808f0f322f35db7def5047c07c865c599dd024a3f9f1fc3a52d
SHA5120bf735c17d59993114380b89e3e93b9a0048d16e55112707768b7383186864f01a792c33e2ca0cfc43903bfa5be330f9bac370e9c71ebc7368c9f872495c28f8
-
memory/2716-30-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/2716-20-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/2716-17-0x0000000075592000-0x0000000075593000-memory.dmpFilesize
4KB
-
memory/5012-3-0x000000001C880000-0x000000001C91C000-memory.dmpFilesize
624KB
-
memory/5012-5-0x0000000001530000-0x0000000001538000-memory.dmpFilesize
32KB
-
memory/5012-6-0x00007FFE14D90000-0x00007FFE15731000-memory.dmpFilesize
9.6MB
-
memory/5012-7-0x00007FFE14D90000-0x00007FFE15731000-memory.dmpFilesize
9.6MB
-
memory/5012-8-0x000000001EC20000-0x000000001ECC6000-memory.dmpFilesize
664KB
-
memory/5012-4-0x00007FFE14D90000-0x00007FFE15731000-memory.dmpFilesize
9.6MB
-
memory/5012-0-0x00007FFE15045000-0x00007FFE15046000-memory.dmpFilesize
4KB
-
memory/5012-19-0x00007FFE14D90000-0x00007FFE15731000-memory.dmpFilesize
9.6MB
-
memory/5012-2-0x000000001CE80000-0x000000001D34E000-memory.dmpFilesize
4.8MB
-
memory/5012-1-0x00007FFE14D90000-0x00007FFE15731000-memory.dmpFilesize
9.6MB