Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 21:39
Static task
static1
Behavioral task
behavioral1
Sample
f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe
-
Size
242KB
-
MD5
f461e0baafcd9a9bc218ac8bfdd5e31a
-
SHA1
65db47f933a688f831c6e785c1c600df3a85a79b
-
SHA256
f23cdf7d982b3e0953701893f4104a186da68d8d56c4e8f99f798eff27b7fbae
-
SHA512
83c80e5617880a17d88c31646257c1086801d6274a6e3bafe08bda39ea7bebc90fa384dca99d405005c65ed1be284304632bdaffdc6014be98b4ed68342776d7
-
SSDEEP
6144:U209KyD6sAdiy2sTgond+7lQHsgNvxRtDcKPH7Pj5lDs:Un9KszAusTT6msg1RDc2BlDs
Malware Config
Extracted
asyncrat
0.5.7B
Default
shortcut2021.duckdns.org:6002
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
systeam32.exe
-
install_folder
%AppData%
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Odvhfcwmlbrkgm.exe Odvhfcwmlbrkgm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Odvhfcwmlbrkgm.exe Odvhfcwmlbrkgm.exe -
Executes dropped EXE 3 IoCs
pid Process 2056 Nzllbibva.exe 4896 Odvhfcwmlbrkgm.exe 4780 Odvhfcwmlbrkgm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4896 set thread context of 4780 4896 Odvhfcwmlbrkgm.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe 4896 Odvhfcwmlbrkgm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4896 Odvhfcwmlbrkgm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4016 wrote to memory of 2056 4016 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 88 PID 4016 wrote to memory of 2056 4016 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 88 PID 4016 wrote to memory of 2056 4016 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 88 PID 4016 wrote to memory of 4896 4016 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 90 PID 4016 wrote to memory of 4896 4016 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 90 PID 4016 wrote to memory of 4896 4016 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 90 PID 4896 wrote to memory of 4780 4896 Odvhfcwmlbrkgm.exe 93 PID 4896 wrote to memory of 4780 4896 Odvhfcwmlbrkgm.exe 93 PID 4896 wrote to memory of 4780 4896 Odvhfcwmlbrkgm.exe 93 PID 4896 wrote to memory of 4780 4896 Odvhfcwmlbrkgm.exe 93 PID 4896 wrote to memory of 4780 4896 Odvhfcwmlbrkgm.exe 93 PID 4896 wrote to memory of 4780 4896 Odvhfcwmlbrkgm.exe 93 PID 4896 wrote to memory of 4780 4896 Odvhfcwmlbrkgm.exe 93 PID 4896 wrote to memory of 4780 4896 Odvhfcwmlbrkgm.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\Nzllbibva.exe"C:\Users\Admin\AppData\Local\Temp\Nzllbibva.exe"2⤵
- Executes dropped EXE
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\Odvhfcwmlbrkgm.exe"C:\Users\Admin\AppData\Local\Temp\Odvhfcwmlbrkgm.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\Odvhfcwmlbrkgm.exe"C:\Users\Admin\AppData\Local\Temp\Odvhfcwmlbrkgm.exe"3⤵
- Executes dropped EXE
PID:4780
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161KB
MD5fb3ae19f3c99124fb0ed13205ba967c2
SHA14fc3d1efd07d29d657b2a8fb7bec3d05cd430627
SHA2560a92b929cc8041cd868683116f3e7741cd22755a5ad57af56aa9bd6c54968c43
SHA512faef6c2fd3a71a308df24174e189f40b5e0909f3c99886d449f1b738dd91cedc2dbbaa4146f56448eb392f67925792c028dd92778ca3a440ed751378e5631b75
-
Filesize
195KB
MD5269d7728dbb38468ba697dedc335d4e6
SHA13e6980bb5a3b0bf247800e6100dcbd7a97db2d4b
SHA256b452105ebb3c208a7955ac226a26c5d9322921c26f055c9ef10a0b4c5a4ae7b5
SHA5120ae87dceeb02bf0b9d27a304b44add4fecc2382a9c444013d8e5add04b4760fe121839aea10f9eada8497e01ac85b0c2db2673897c0273cfe8d4c0a3915df3b6