Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/04/2024, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
-
Size
6.1MB
-
MD5
e7a12cc016c3f54c60c9bfa824618f26
-
SHA1
3faaf64a93900e9a444c1cadf6b1e13b46154ce2
-
SHA256
f2ec62ee89bf915370d3599c85d2f3c9179a796a5a0e6ed3322ba31db1292f54
-
SHA512
ebe8a5c4129d6d2ea38018ab0c20e4f67bc7e8b5d753b99e7d98d5d83a8e2ebc32dc022d5ceab63c32b4e563e169dd329665ef8877832abc9b3fee63b3530084
-
SSDEEP
196608:9Ng9vPvvvVvT6TtvvkvvvPvvvnvvvPvvvGU4CmsdrznlOTwd6Kpt:9NCvFvOTtUvfv3vfv2UZm0znzd6
Malware Config
Extracted
bitrat
1.38
106.69.2.59:6637
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3552 wdbpsss.exe 572 InstallUtil.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/3308-7-0x00000000079C0000-0x00000000079E8000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdbpsss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wdbpsss.exe" reg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 572 InstallUtil.exe 572 InstallUtil.exe 572 InstallUtil.exe 572 InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3552 set thread context of 572 3552 wdbpsss.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 3552 wdbpsss.exe 3552 wdbpsss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe Token: SeDebugPrivilege 3552 wdbpsss.exe Token: SeShutdownPrivilege 572 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 572 InstallUtil.exe 572 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3308 wrote to memory of 4144 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 85 PID 3308 wrote to memory of 4144 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 85 PID 3308 wrote to memory of 4144 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 85 PID 4144 wrote to memory of 4476 4144 cmd.exe 87 PID 4144 wrote to memory of 4476 4144 cmd.exe 87 PID 4144 wrote to memory of 4476 4144 cmd.exe 87 PID 3308 wrote to memory of 3552 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 96 PID 3308 wrote to memory of 3552 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 96 PID 3308 wrote to memory of 3552 3308 e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe 96 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97 PID 3552 wrote to memory of 572 3552 wdbpsss.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wdbpsss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wdbpsss.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wdbpsss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wdbpsss.exe"3⤵
- Adds Run key to start application
PID:4476
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wdbpsss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wdbpsss.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:572
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
Filesize
6.1MB
MD5e7a12cc016c3f54c60c9bfa824618f26
SHA13faaf64a93900e9a444c1cadf6b1e13b46154ce2
SHA256f2ec62ee89bf915370d3599c85d2f3c9179a796a5a0e6ed3322ba31db1292f54
SHA512ebe8a5c4129d6d2ea38018ab0c20e4f67bc7e8b5d753b99e7d98d5d83a8e2ebc32dc022d5ceab63c32b4e563e169dd329665ef8877832abc9b3fee63b3530084