Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 20:13
Static task
static1
Behavioral task
behavioral1
Sample
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
-
Size
78KB
-
MD5
e850ed9b9eb661162257c74b4caab45d
-
SHA1
c95d96973e2b74e2d69528cc3c79dbb4ef6707f2
-
SHA256
27c0d27301d0249ad037784b18fee5c087534b2ed3de81db6c038227e38deac6
-
SHA512
d949f12b4e0cba64145a9954b9d90d669df68c4c59f239f677789f422efe746516f9c5243bdaf91ec52964ea0832d69911bc697cfbefed58231fe7800fc98b73
-
SSDEEP
1536:m+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6t9/MB1F/:T5jS7JywQjDgTLopLwdCFJzl9/w
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp39FC.tmp.exepid process 4544 tmp39FC.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exetmp39FC.tmp.exedescription pid process Token: SeDebugPrivilege 1452 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe Token: SeDebugPrivilege 4544 tmp39FC.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exevbc.exedescription pid process target process PID 1452 wrote to memory of 3772 1452 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe vbc.exe PID 1452 wrote to memory of 3772 1452 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe vbc.exe PID 1452 wrote to memory of 3772 1452 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe vbc.exe PID 3772 wrote to memory of 4780 3772 vbc.exe cvtres.exe PID 3772 wrote to memory of 4780 3772 vbc.exe cvtres.exe PID 3772 wrote to memory of 4780 3772 vbc.exe cvtres.exe PID 1452 wrote to memory of 4544 1452 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe tmp39FC.tmp.exe PID 1452 wrote to memory of 4544 1452 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe tmp39FC.tmp.exe PID 1452 wrote to memory of 4544 1452 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe tmp39FC.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zj-hvuc2.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9032EB5D12449D6A5DB4E58AEA97CD4.TMP"3⤵PID:4780
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp39FC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp39FC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5420cb7c1cc525c9cb421f5d06076d29e
SHA180633ee795e9590376857355dc2bdca112212514
SHA2566cad504b81524c7e9078f626870551b64f6b63e873bbb9635966f1ff556c1233
SHA512c60e541dbe051b6a576c7328992036f4435436c78e7c0d32a19d99ca244ae085e1d3025b72d6fb7e8c68fbe69a823b9e1dcf1fc0d69d070db1b01a0f8776ac37
-
Filesize
78KB
MD5e41de2d210f550f3cbf4e776e70b6f58
SHA12280d1bcd97e8005d93048d965fed54f4aa0d643
SHA2565559a99255010c0ff9bd0ec11dda52e5dbaf27cbfad24521ae9869c55b895a5f
SHA512e1bb0924ef381b16db533b5fac8ee50727829ab61e33a0c2803866ce51f7747c224285788d7ae36c5f56abc90db96f87053f91aa0adde3ef96fd5c71edda2794
-
Filesize
660B
MD522e24211662f99a2862cdceabd564f62
SHA18a248ca20bfa81f46081bb8fd5305a3422a255e9
SHA256f064bdbd1f4f92d4197b00729d929601d247b53b3476c4ef0396dfa884c9dc16
SHA512d2841a0657e4643a7040ae03b23a73a6a6521c04058336db124089f9bd12c9520fdc5752c8a972043298376e9e7db44ce3518a4eca690402d10c86af5730f0aa
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
Filesize
14KB
MD5946367fdf9b50e03f5df96951c722bc9
SHA10cce2527f9979d2472d51ed7fef1376501ee3ca7
SHA25696797968d28d8cd038ce5932429c488bce7e1384b3bc4ae792d6672792972777
SHA51227f563d7f7d6121d0d9a68f362e0eaf2eb73cb867d13a56ec662707c3cbede23651428752c9867931f91f8d7e1af70cd27c3a38883cf65567d9c0e166ac025d9
-
Filesize
266B
MD5df5b979da869ef6529f513954f50d2d0
SHA1f505568ca5713b1d9995b3982f9a5b61e6d7fcb9
SHA256c9eeb6640774b9ffe60a67aa7f8f6c61e3004214e25c64e3d41444c706b9b994
SHA51267b3e489740689b47d5941e176f2b28b0982c8fd0ec1be710072c95af55ac5ee0e677d423d929b85a1abc0f8c63012d68451f66bb4ba19db19a29351247cb586