Analysis
-
max time kernel
159s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 20:20
Static task
static1
Behavioral task
behavioral1
Sample
e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe
-
Size
493KB
-
MD5
e8545399823b411ea6cb927e80aded0f
-
SHA1
22af521e6119003289b6bd5d7be9a3328acb59cc
-
SHA256
3d31e58a5488a2ec7fb942d3b7005b73b7a617b2b31c89aae7edf6b460edd11e
-
SHA512
91b5f2c5fda648d4b54e5a434cb8848c3b1a51627387d552d12461adbc4f1925d3a1f23321f36e6404d6d7eff616cd428f648e5b44384f2c394e2777f0b938f6
-
SSDEEP
6144:WE3WAe1LXFPQbIQrn7xVEcMXBvsEbfKBqwOwD71tJ71Py6QSIRhg0ST7IYzMTFOB:WKWAebYYc4hbmOwD71tJha6QSGdAF7
Malware Config
Extracted
asyncrat
0.5.7B
Default
ControllerFinallineballinglove33.webredirect.org:7719
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
Abobe.exe
-
install_folder
%AppData%
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Adobes\\sys30.exe," reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobes\sys30.exe e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobes\sys30.exe e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
sys30.exesys30.exepid process 2940 sys30.exe 4008 sys30.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2348-5-0x0000000006A80000-0x0000000006AA8000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sys30.exedescription pid process target process PID 2940 set thread context of 4008 2940 sys30.exe sys30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exesys30.exepid process 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe 2940 sys30.exe 2940 sys30.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exesys30.exedescription pid process Token: SeDebugPrivilege 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe Token: SeDebugPrivilege 2940 sys30.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e8545399823b411ea6cb927e80aded0f_JaffaCakes118.execmd.exesys30.exedescription pid process target process PID 2348 wrote to memory of 1304 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 1304 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 1304 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe cmd.exe PID 1304 wrote to memory of 3104 1304 cmd.exe reg.exe PID 1304 wrote to memory of 3104 1304 cmd.exe reg.exe PID 1304 wrote to memory of 3104 1304 cmd.exe reg.exe PID 2348 wrote to memory of 2940 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe sys30.exe PID 2348 wrote to memory of 2940 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe sys30.exe PID 2348 wrote to memory of 2940 2348 e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe sys30.exe PID 2940 wrote to memory of 4008 2940 sys30.exe sys30.exe PID 2940 wrote to memory of 4008 2940 sys30.exe sys30.exe PID 2940 wrote to memory of 4008 2940 sys30.exe sys30.exe PID 2940 wrote to memory of 4008 2940 sys30.exe sys30.exe PID 2940 wrote to memory of 4008 2940 sys30.exe sys30.exe PID 2940 wrote to memory of 4008 2940 sys30.exe sys30.exe PID 2940 wrote to memory of 4008 2940 sys30.exe sys30.exe PID 2940 wrote to memory of 4008 2940 sys30.exe sys30.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8545399823b411ea6cb927e80aded0f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobes\sys30.exe,"2⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobes\sys30.exe,"3⤵
- Modifies WinLogon for persistence
PID:3104
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobes\sys30.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobes\sys30.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobes\sys30.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobes\sys30.exe"3⤵
- Executes dropped EXE
PID:4008
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5232c537b9de63796f124d6e7c3afcbd9
SHA1cfa10e8cfc64eaaa0f2b17363a65426c41729e9d
SHA256da9ff8d5d3ad1a97c7f369973506ad780565ef44ed7f89df850cc6be5d07801c
SHA5120157b54708b6a33497bd3eabc07f6c17ad784882afcd18be8ffcdb835564ab9d43c5be25347db0a715fc32d70f116026dd11db15005ec0cdc13f8acea44e7eb9
-
Filesize
493KB
MD5e8545399823b411ea6cb927e80aded0f
SHA122af521e6119003289b6bd5d7be9a3328acb59cc
SHA2563d31e58a5488a2ec7fb942d3b7005b73b7a617b2b31c89aae7edf6b460edd11e
SHA51291b5f2c5fda648d4b54e5a434cb8848c3b1a51627387d552d12461adbc4f1925d3a1f23321f36e6404d6d7eff616cd428f648e5b44384f2c394e2777f0b938f6