Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
d35381609a7837b54625620b260ceba0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d35381609a7837b54625620b260ceba0_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
d35381609a7837b54625620b260ceba0_JaffaCakes118.exe
-
Size
580KB
-
MD5
d35381609a7837b54625620b260ceba0
-
SHA1
e2a849cd29fe4584fe183ec4a3d231b96c11510f
-
SHA256
e451310ccd2dc212d3c4233ef75c6bd4a6b238e6ef44119ae4769cac2a2e5f54
-
SHA512
a12e110cba61403f88f16ce101297d221f29050c5b7111245c73ed6dbd797493d3f96ed18a175106a1f49d57bd628b2e69695c637e624319a848dc513fd3092e
-
SSDEEP
12288:Q4gzhRXZrOMlRYpl3U077HwPoTxqLWPiXjJ/whUFT:ehRXZr1ypl3p77QwTUki9/who
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
steamerrorreporter.exed35381609a7837b54625620b260ceba0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation steamerrorreporter.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation d35381609a7837b54625620b260ceba0_JaffaCakes118.exe -
Drops startup file 1 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\steamerrorreporter.b2bqemce.lnk d35381609a7837b54625620b260ceba0_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
steamerrorreporter.exesteamerrorreporter.exepid process 3752 steamerrorreporter.exe 1588 steamerrorreporter.exe -
Loads dropped DLL 13 IoCs
Processes:
RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exepid process 544 RegAsm.exe 3316 RegAsm.exe 1576 RegAsm.exe 692 RegAsm.exe 4448 RegAsm.exe 4032 RegAsm.exe 1592 RegAsm.exe 4628 RegAsm.exe 2856 RegAsm.exe 396 RegAsm.exe 1872 RegAsm.exe 3960 RegAsm.exe 4568 RegAsm.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/544-27-0x0000000000400000-0x000000000046E000-memory.dmp agile_net -
Suspicious use of SetThreadContext 13 IoCs
Processes:
steamerrorreporter.exedescription pid process target process PID 3752 set thread context of 544 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 3316 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 1576 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 692 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 4448 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 4032 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 1592 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 4628 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 2856 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 396 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 1872 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 4568 3752 steamerrorreporter.exe RegAsm.exe PID 3752 set thread context of 3960 3752 steamerrorreporter.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
steamerrorreporter.exepid process 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe 3752 steamerrorreporter.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exesteamerrorreporter.exesteamerrorreporter.exedescription pid process Token: SeDebugPrivilege 1600 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe Token: SeDebugPrivilege 3752 steamerrorreporter.exe Token: SeDebugPrivilege 1588 steamerrorreporter.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exepid process 1600 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exepid process 1600 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exesteamerrorreporter.exedescription pid process target process PID 1600 wrote to memory of 3752 1600 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe steamerrorreporter.exe PID 1600 wrote to memory of 3752 1600 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe steamerrorreporter.exe PID 1600 wrote to memory of 3752 1600 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe steamerrorreporter.exe PID 3752 wrote to memory of 1588 3752 steamerrorreporter.exe steamerrorreporter.exe PID 3752 wrote to memory of 1588 3752 steamerrorreporter.exe steamerrorreporter.exe PID 3752 wrote to memory of 1588 3752 steamerrorreporter.exe steamerrorreporter.exe PID 3752 wrote to memory of 544 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 544 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 544 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 544 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 544 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 544 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 544 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 544 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 3316 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 3316 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 3316 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1576 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1576 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1576 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1576 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 3316 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1576 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 3316 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1576 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 3316 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1576 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 3316 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 3316 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1576 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 692 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 692 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 692 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4448 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4448 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4448 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4448 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 692 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 692 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4448 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4448 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 692 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4448 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 692 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4448 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 692 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1592 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4032 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4032 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1592 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1592 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4032 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4032 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1592 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4032 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1592 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4032 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1592 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4032 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1592 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 4032 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 1592 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 2856 3752 steamerrorreporter.exe RegAsm.exe PID 3752 wrote to memory of 2856 3752 steamerrorreporter.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:544
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:3316
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:1576
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:692
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:4448
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:1592
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:4032
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:2856
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:4628
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:396
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:1872
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:3960
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:4568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
Filesize
580KB
MD5d35381609a7837b54625620b260ceba0
SHA1e2a849cd29fe4584fe183ec4a3d231b96c11510f
SHA256e451310ccd2dc212d3c4233ef75c6bd4a6b238e6ef44119ae4769cac2a2e5f54
SHA512a12e110cba61403f88f16ce101297d221f29050c5b7111245c73ed6dbd797493d3f96ed18a175106a1f49d57bd628b2e69695c637e624319a848dc513fd3092e