Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe
-
Size
62KB
-
MD5
fd3569bdf323487fdc45516ef598a0ab
-
SHA1
b0155ee5cd923f4352d81e07f4e40146efbbfec6
-
SHA256
d8e9561612c6e06160d79abde41c7b66e4921a1c041ad5c2658d43050b4fd2d0
-
SHA512
b94a5273303164741ab152109e2c411e991adf1050d1c44f1a14fca9ffdfa6e7d232ea006882b64074bd1906cf6ef7985d929e50fcc435baa521d13a4c3ce59d
-
SSDEEP
768:lnbdqCXAVwfAYYIuqQ1/A6IFi6PYLDwUzc80gmq3oP/oDhv:lnb5AYNfQ1/APi1r/0O8/olv
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Renames multiple (76) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe\"" fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 348 fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe 348 fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 348 fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 312 WMIC.exe Token: SeSecurityPrivilege 312 WMIC.exe Token: SeTakeOwnershipPrivilege 312 WMIC.exe Token: SeLoadDriverPrivilege 312 WMIC.exe Token: SeSystemProfilePrivilege 312 WMIC.exe Token: SeSystemtimePrivilege 312 WMIC.exe Token: SeProfSingleProcessPrivilege 312 WMIC.exe Token: SeIncBasePriorityPrivilege 312 WMIC.exe Token: SeCreatePagefilePrivilege 312 WMIC.exe Token: SeBackupPrivilege 312 WMIC.exe Token: SeRestorePrivilege 312 WMIC.exe Token: SeShutdownPrivilege 312 WMIC.exe Token: SeDebugPrivilege 312 WMIC.exe Token: SeSystemEnvironmentPrivilege 312 WMIC.exe Token: SeRemoteShutdownPrivilege 312 WMIC.exe Token: SeUndockPrivilege 312 WMIC.exe Token: SeManageVolumePrivilege 312 WMIC.exe Token: 33 312 WMIC.exe Token: 34 312 WMIC.exe Token: 35 312 WMIC.exe Token: SeIncreaseQuotaPrivilege 312 WMIC.exe Token: SeSecurityPrivilege 312 WMIC.exe Token: SeTakeOwnershipPrivilege 312 WMIC.exe Token: SeLoadDriverPrivilege 312 WMIC.exe Token: SeSystemProfilePrivilege 312 WMIC.exe Token: SeSystemtimePrivilege 312 WMIC.exe Token: SeProfSingleProcessPrivilege 312 WMIC.exe Token: SeIncBasePriorityPrivilege 312 WMIC.exe Token: SeCreatePagefilePrivilege 312 WMIC.exe Token: SeBackupPrivilege 312 WMIC.exe Token: SeRestorePrivilege 312 WMIC.exe Token: SeShutdownPrivilege 312 WMIC.exe Token: SeDebugPrivilege 312 WMIC.exe Token: SeSystemEnvironmentPrivilege 312 WMIC.exe Token: SeRemoteShutdownPrivilege 312 WMIC.exe Token: SeUndockPrivilege 312 WMIC.exe Token: SeManageVolumePrivilege 312 WMIC.exe Token: 33 312 WMIC.exe Token: 34 312 WMIC.exe Token: 35 312 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 348 wrote to memory of 2028 348 fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe 28 PID 348 wrote to memory of 2028 348 fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe 28 PID 348 wrote to memory of 2028 348 fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe 28 PID 348 wrote to memory of 2028 348 fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe 28 PID 2028 wrote to memory of 312 2028 cmd.exe 30 PID 2028 wrote to memory of 312 2028 cmd.exe 30 PID 2028 wrote to memory of 312 2028 cmd.exe 30 PID 2028 wrote to memory of 312 2028 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd3569bdf323487fdc45516ef598a0ab_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-