Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 18:10
Static task
static1
Behavioral task
behavioral1
Sample
f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe
-
Size
47KB
-
MD5
f87f80ac20692d98173fa85cff1d53d4
-
SHA1
d9b54a5cd4459f8624fd9ec3bd868ef0e7028741
-
SHA256
939a78eb46838db8dedfb5a5fae5619cb7462093c12e9cb21e7f571d5e21dec0
-
SHA512
143942407b35cbe63fef9c5392d98626747363e5c716cf6cfe04bcf9fb782c7d4de3ede985da5fa9b3b46f360739edf7a8b6f07b5098476de31a9cf464b53113
-
SSDEEP
768:aCbz5H3N6XTeWgGfBy2XrrLg9liGqv4lyPhSfXwfiAhIBbFVMn11xYvsft9L/x43:aizJN6XTtg+ByJjTNyPhSPwfi8mVMn1K
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
p.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run p.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\system = "C:\\Windows\\csrss.exe" p.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exep.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation p.exe -
Executes dropped EXE 3 IoCs
Processes:
p.exeloader.execsrss.exepid process 636 p.exe 976 loader.exe 2172 csrss.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
csrss.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
IEXPLORE.EXEdescription ioc process File opened for modification \??\PhysicalDrive0 IEXPLORE.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
loader.exedescription pid process target process PID 976 set thread context of 3236 976 loader.exe IEXPLORE.EXE -
Drops file in Windows directory 2 IoCs
Processes:
p.exedescription ioc process File created C:\Windows\csrss.exe p.exe File opened for modification C:\Windows\csrss.exe p.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3412 3756 WerFault.exe f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
IEXPLORE.EXEcsrss.exepid process 3236 IEXPLORE.EXE 2172 csrss.exe 2172 csrss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
p.exeloader.execsrss.exedescription pid process Token: SeDebugPrivilege 636 p.exe Token: SeIncBasePriorityPrivilege 976 loader.exe Token: SeDebugPrivilege 2172 csrss.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exeloader.exep.exedescription pid process target process PID 3756 wrote to memory of 636 3756 f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe p.exe PID 3756 wrote to memory of 636 3756 f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe p.exe PID 3756 wrote to memory of 636 3756 f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe p.exe PID 3756 wrote to memory of 976 3756 f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe loader.exe PID 3756 wrote to memory of 976 3756 f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe loader.exe PID 3756 wrote to memory of 976 3756 f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe loader.exe PID 976 wrote to memory of 3236 976 loader.exe IEXPLORE.EXE PID 976 wrote to memory of 3236 976 loader.exe IEXPLORE.EXE PID 976 wrote to memory of 3236 976 loader.exe IEXPLORE.EXE PID 976 wrote to memory of 3236 976 loader.exe IEXPLORE.EXE PID 976 wrote to memory of 3236 976 loader.exe IEXPLORE.EXE PID 976 wrote to memory of 3236 976 loader.exe IEXPLORE.EXE PID 976 wrote to memory of 3236 976 loader.exe IEXPLORE.EXE PID 636 wrote to memory of 2172 636 p.exe csrss.exe PID 636 wrote to memory of 2172 636 p.exe csrss.exe PID 636 wrote to memory of 2172 636 p.exe csrss.exe -
outlook_win_path 1 IoCs
Processes:
csrss.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f87f80ac20692d98173fa85cff1d53d4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 3122⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\p.exe"C:\Users\Admin\AppData\Local\Temp\p.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\csrss.exe"C:\Windows\csrss.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3756 -ip 37561⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\loader.exeFilesize
20KB
MD50c51a7748182b38afac4ab62fe5ec976
SHA14258245c92f0edfd7fd8273ec22d5cc9356a77d6
SHA256386a4f3d9b849ed1fa2cbba640b428ba06ac65f7bc3c93ae9f0a6878113bd813
SHA512188422f1366ea32b6dc30a3e63a46fffd5349a9786e50b6fddc299621d38b13b7582a703668b6591b3ef0caeef5e6525adb5728c27002a727d3667ef8fe54136
-
C:\Users\Admin\AppData\Local\Temp\p.exeFilesize
28KB
MD536c64a8b824970bbd991986f81fa8718
SHA1ae05cb686c3a1d79ff2e7a231b0e89befe527559
SHA2565ebf226334f2035d115db37664e25b075cbe00badf8090dac2a49b0714bde733
SHA512d1ca9364bc7e1cc4ef466da44f8213fb0f541635c5c4d3d0afb82fe4bea17d4ffff5efe5a198d8b818c632b35fd8e56beba14ddc24b89d8a9ff6a4ee214abc78
-
memory/636-17-0x0000000013140000-0x0000000013188000-memory.dmpFilesize
288KB
-
memory/636-29-0x0000000013140000-0x0000000013188000-memory.dmpFilesize
288KB
-
memory/976-16-0x0000000014140000-0x0000000014149000-memory.dmpFilesize
36KB
-
memory/976-18-0x0000000014140000-0x0000000014149000-memory.dmpFilesize
36KB
-
memory/2172-30-0x0000000013140000-0x0000000013188000-memory.dmpFilesize
288KB
-
memory/2172-31-0x0000000013140000-0x0000000013188000-memory.dmpFilesize
288KB
-
memory/3236-19-0x0000000013140000-0x00000000131E8000-memory.dmpFilesize
672KB