Analysis
-
max time kernel
150s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 03:08
Static task
static1
Behavioral task
behavioral1
Sample
043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe
-
Size
437KB
-
MD5
043eaede991f0babf38e2e17937e4e99
-
SHA1
3308775eebfae7d12cce6f7154c5add1217c13d4
-
SHA256
0e5cb83def6333b13ab36fcf301145537f565800e768aaa5c40c2378b27ec5da
-
SHA512
2be4062e9519978bf82d2b36934b6d6e9e2971741827acae56c2dbb708220f0f685423fc0c3f150fd4eda8128348f0640ce6a58f9140713168947e177b8c1685
-
SSDEEP
6144:O2qVEWmw4UhfrXi2jyLhxT5Ahv4go96AO2wZTOfmu4pilruhQfEQLOp8/Oe113ea:dqVHmw4Uh2ayHx9mTOfColruOf5jOe1H
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
043eaede991f0babf38e2e17937e4e99_JaffaCakes118.execom3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation com3.exe -
Drops startup file 1 IoCs
Processes:
SearchHelper.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe SearchHelper.exe -
Executes dropped EXE 4 IoCs
Processes:
SearchHelper.execom3.exeSearchHelper.execom3.exepid process 4468 SearchHelper.exe 3972 com3.exe 3392 SearchHelper.exe 3952 com3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.execom3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe" com3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exeSearchHelper.execom3.exe043eaede991f0babf38e2e17937e4e99_JaffaCakes118.execom3.exeSearchHelper.exepid process 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe 4468 SearchHelper.exe 4468 SearchHelper.exe 3972 com3.exe 3972 com3.exe 4504 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe 4504 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe 3952 com3.exe 3952 com3.exe 3392 SearchHelper.exe 3392 SearchHelper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SearchHelper.exedescription pid process Token: SeDebugPrivilege 4468 SearchHelper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SearchHelper.exepid process 4468 SearchHelper.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe043eaede991f0babf38e2e17937e4e99_JaffaCakes118.execom3.exedescription pid process target process PID 4640 wrote to memory of 4468 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe SearchHelper.exe PID 4640 wrote to memory of 4468 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe SearchHelper.exe PID 4640 wrote to memory of 4468 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe SearchHelper.exe PID 4640 wrote to memory of 3972 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe com3.exe PID 4640 wrote to memory of 3972 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe com3.exe PID 4640 wrote to memory of 3972 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe com3.exe PID 4640 wrote to memory of 4504 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe PID 4640 wrote to memory of 4504 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe PID 4640 wrote to memory of 4504 4640 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe PID 4504 wrote to memory of 3392 4504 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe SearchHelper.exe PID 4504 wrote to memory of 3392 4504 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe SearchHelper.exe PID 4504 wrote to memory of 3392 4504 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe SearchHelper.exe PID 4504 wrote to memory of 3952 4504 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe com3.exe PID 4504 wrote to memory of 3952 4504 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe com3.exe PID 4504 wrote to memory of 3952 4504 043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe com3.exe PID 3972 wrote to memory of 4440 3972 com3.exe reg.exe PID 3972 wrote to memory of 4440 3972 com3.exe reg.exe PID 3972 wrote to memory of 4440 3972 com3.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\043eaede991f0babf38e2e17937e4e99_JaffaCakes118.exe" silent pause2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exeFilesize
440KB
MD59dedf0ec45da5b76026b0a8aa9e7f7bd
SHA125742fa3d06b057b2c1ca25adb139c6e9b067d37
SHA25638a8a29b971a732130123de99c0333347522e673d2b39a5d37c8f424046545e8
SHA51268fd8a18418ec9ba6186e598a20ea9316f30ff151d959c6e8720810609bc3c8a8f74c1a1f146b54261cdc33a6556860f3874789fa1f09113de42572bc41cd32e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exeFilesize
440KB
MD52d181055c7420b001cfe8fe597f1ee2b
SHA111d2752e9e38561470e7b5d33f567f589ca81bdb
SHA25652ad4e90bbf94f034141ff1ad6574866f6c55f66b0a6e69735f0a8aae45fad43
SHA512482aae8475159ffbea638f731a3b1f32647afa60166e15b7163d573d079c55bf7af719ae71ccc373d5294afe120604e0d50c19ea5eee0e13a71b15f169ddab5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\persist.datFilesize
10B
MD5bc62f40c0a6a4929df7e775e738a416e
SHA10643661f9e0858f4d77e2b831fab91573a081930
SHA256ef766d89e40b511b7bbea6fe8997fd635daf8ee90d64b3918a186b2a9b087fc4
SHA512376389145c35b22d0f46a3e6b79bf9a9fb5c30f6492e790b03f1006da12fee025bcce9f444d650f9671e0085e3a0e4c04cefa3a8938d81511231be66d9c76642
-
memory/3392-66-0x0000000063080000-0x00000000631EC000-memory.dmpFilesize
1.4MB
-
memory/3392-77-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3952-56-0x0000000063080000-0x00000000631EC000-memory.dmpFilesize
1.4MB
-
memory/3952-76-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4468-16-0x0000000063080000-0x00000000631EC000-memory.dmpFilesize
1.4MB
-
memory/4468-78-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4504-45-0x0000000063080000-0x00000000631EC000-memory.dmpFilesize
1.4MB
-
memory/4640-0-0x0000000063080000-0x00000000631EC000-memory.dmpFilesize
1.4MB
-
memory/4640-43-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB