Analysis
-
max time kernel
3s -
max time network
5s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 01:50
Static task
static1
Behavioral task
behavioral1
Sample
f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe
Resource
win10v2004-20240412-en
Errors
General
-
Target
f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
f269ccb519476724082fd3d4383d5ca6
-
SHA1
fd9005d5401c9d2df2d792eec8d47ba5cee2b9c6
-
SHA256
e56800ef1346a3a28f31c466eb1d31655a127c7cb81647bb7697558e7a879ed2
-
SHA512
77e5f1499acfea03e9cef52d85c1189b7ea0283b005c8584bc559d5ab694c3d3870906c52c012a5ad64930819b05f618852cd289eaa4a73b157c171d799a69ac
-
SSDEEP
12288:3R3osGLyv32XrpXEJETL3ZaHa1fwd3DqjPtet4nQTl0RgiynJd4m8SdZuZCpnp+Z:B3pvHEdchJFZkyYsBkcUZL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
hostcv.exewinini.exepid process 2480 hostcv.exe 4880 winini.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hostcv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hostcv.exe" hostcv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hostcv.exedescription pid process target process PID 2480 set thread context of 4880 2480 hostcv.exe winini.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3032 4880 WerFault.exe winini.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
hostcv.exepid process 2480 hostcv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hostcv.exedescription pid process Token: SeDebugPrivilege 2480 hostcv.exe Token: SeDebugPrivilege 2480 hostcv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exehostcv.exedescription pid process target process PID 844 wrote to memory of 2480 844 f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe hostcv.exe PID 844 wrote to memory of 2480 844 f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe hostcv.exe PID 844 wrote to memory of 2480 844 f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe hostcv.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe PID 2480 wrote to memory of 4880 2480 hostcv.exe winini.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\hostcv.exe"C:\Users\Admin\AppData\Local\Temp\hostcv.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\winini.exeC:\Users\Admin\AppData\Local\Temp\winini.exe3⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 124⤵
- Program crash
PID:3032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4880 -ip 48801⤵PID:4848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
696KB
MD5771c6ba0050a51ca574d2e316468720b
SHA16fc9f25f8f6fd2295e394fbbac529c5ed6a80459
SHA2565bcce062586bf4f2be50b18110cb25f413f2f2049f505f1aed7f588951826900
SHA512bbcbf93ae4ef4a08798c4f68b58267885a3db147d442ee5df449aa723d83d4e6004b901c28d55a463c74c072390b13434fccd198049cd93fc05af097f853fb64
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0