Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 02:19
Static task
static1
Behavioral task
behavioral1
Sample
0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe
-
Size
270KB
-
MD5
0428ff225e18a0e79774b8f1b0c30b80
-
SHA1
806413191e59a704f26287aa5b0136d64dd2f30b
-
SHA256
54f0b6b1c309caccd02bab4a0013277e9f1ffde051fd2e45a59d784d1f425563
-
SHA512
66e69515691834cb8e143e65addfbd5e1368a173da697614adb8c4b15f046aadabb15e93c0809708a0a82f7f59781ca74169756cd7012199e5c753ef502b2b86
-
SSDEEP
3072:WxNvADAOY5ZMb7kj92vW1gowzSRtqBP0u+BqNfzUubhpgeUATDPYiPzXGw2:WvveAb7MUgW1aBPUBqzb0ATDPbPD2
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2276 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 408 tmp.exe 3876 svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 912 set thread context of 3876 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3560 timeout.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe Token: SeDebugPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe Token: 33 408 tmp.exe Token: SeIncBasePriorityPrivilege 408 tmp.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 912 wrote to memory of 3780 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 85 PID 912 wrote to memory of 3780 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 85 PID 912 wrote to memory of 3780 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 85 PID 3780 wrote to memory of 2436 3780 cmd.exe 87 PID 3780 wrote to memory of 2436 3780 cmd.exe 87 PID 3780 wrote to memory of 2436 3780 cmd.exe 87 PID 912 wrote to memory of 408 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 89 PID 912 wrote to memory of 408 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 89 PID 912 wrote to memory of 408 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 89 PID 912 wrote to memory of 3876 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 90 PID 912 wrote to memory of 3876 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 90 PID 912 wrote to memory of 3876 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 90 PID 912 wrote to memory of 3876 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 90 PID 912 wrote to memory of 3876 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 90 PID 912 wrote to memory of 3876 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 90 PID 912 wrote to memory of 3876 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 90 PID 912 wrote to memory of 3876 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 90 PID 912 wrote to memory of 2108 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 91 PID 912 wrote to memory of 2108 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 91 PID 912 wrote to memory of 2108 912 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 91 PID 2108 wrote to memory of 3560 2108 cmd.exe 95 PID 2108 wrote to memory of 3560 2108 cmd.exe 95 PID 2108 wrote to memory of 3560 2108 cmd.exe 95 PID 408 wrote to memory of 2276 408 tmp.exe 96 PID 408 wrote to memory of 2276 408 tmp.exe 96 PID 408 wrote to memory of 2276 408 tmp.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.lnk" /f3⤵PID:2436
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2276
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
PID:3876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:3560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194B
MD5609f21988eae322f33f775df1cee0481
SHA130b3f2bdab680ffd92ac2cd248a6af3cdfcddd01
SHA2564891ae96168de7eb45ea4d17bdbd31ea8b29124163e3d982f4f6f120ff07e487
SHA512061d3896c955966feae7c4f698d7e313439586c9c300a763769f1f9fa58068a68766824a970df9f3f56ee1bab32685109eed4e928b15be8445d93602be2efadb
-
Filesize
270KB
MD50428ff225e18a0e79774b8f1b0c30b80
SHA1806413191e59a704f26287aa5b0136d64dd2f30b
SHA25654f0b6b1c309caccd02bab4a0013277e9f1ffde051fd2e45a59d784d1f425563
SHA51266e69515691834cb8e143e65addfbd5e1368a173da697614adb8c4b15f046aadabb15e93c0809708a0a82f7f59781ca74169756cd7012199e5c753ef502b2b86
-
Filesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
Filesize
23KB
MD52177a5b2d4432d38ff059f9feb9b560f
SHA1e7c62227fa5fc416cd6d0bb4fec2dc34057130f9
SHA25676e3aa841279c976da1f37a675960dd7fcf119ef65bbe36764af1e4437c05bbf
SHA5125c6adffad74eaa7d7ba418d1b7e2ee64d57036c0b25227746799e65e3f76817393f3416e382e13c3e179c9a9015530e5d0a791c42e83e8618398ee42d03fbfe3