Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 18:04
Static task
static1
Behavioral task
behavioral1
Sample
0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe
-
Size
676KB
-
MD5
0a48ebd4c893f0e4e54edc1024236b06
-
SHA1
e6a51d4134a8807abca494a17619c42647e9669c
-
SHA256
695da3c8bed2ce16d81174c620837b40e19a2e0f0b77c3385129046e45c49888
-
SHA512
3c5023a74ebdbeb024f9303c923721c8c825e9922bbb406b2ecdd58ceb5aba97ac60d3c7c4b73de9eeb689912d34c103f926302bac9cec13a409ef3e957acb5a
-
SSDEEP
6144:QtMkmy4LRp+I3tEUDiUPU8Z3S8fZRwq3RhK3eJoyPgPVZyEgf:2MkmhpZ6UDvU8Z3SEZWiRhK3kgdZ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
installutil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" installutil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
installutil.exedescription pid process target process PID 4196 set thread context of 3152 4196 installutil.exe installutil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
installutil.exedescription ioc process File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe installutil.exe File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3512 schtasks.exe 1524 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
installutil.exeinstallutil.exepid process 4196 installutil.exe 4196 installutil.exe 3152 installutil.exe 3152 installutil.exe 3152 installutil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
installutil.exepid process 3152 installutil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
installutil.exeinstallutil.exedescription pid process Token: SeDebugPrivilege 4196 installutil.exe Token: SeDebugPrivilege 3152 installutil.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exeinstallutil.exeinstallutil.exedescription pid process target process PID 2240 wrote to memory of 4196 2240 0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe installutil.exe PID 2240 wrote to memory of 4196 2240 0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe installutil.exe PID 2240 wrote to memory of 4196 2240 0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe installutil.exe PID 4196 wrote to memory of 3152 4196 installutil.exe installutil.exe PID 4196 wrote to memory of 3152 4196 installutil.exe installutil.exe PID 4196 wrote to memory of 3152 4196 installutil.exe installutil.exe PID 4196 wrote to memory of 3152 4196 installutil.exe installutil.exe PID 4196 wrote to memory of 3152 4196 installutil.exe installutil.exe PID 4196 wrote to memory of 3152 4196 installutil.exe installutil.exe PID 4196 wrote to memory of 3152 4196 installutil.exe installutil.exe PID 4196 wrote to memory of 3152 4196 installutil.exe installutil.exe PID 3152 wrote to memory of 3512 3152 installutil.exe schtasks.exe PID 3152 wrote to memory of 3512 3152 installutil.exe schtasks.exe PID 3152 wrote to memory of 3512 3152 installutil.exe schtasks.exe PID 3152 wrote to memory of 1524 3152 installutil.exe schtasks.exe PID 3152 wrote to memory of 1524 3152 installutil.exe schtasks.exe PID 3152 wrote to memory of 1524 3152 installutil.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA0B4.tmp"4⤵
- Creates scheduled task(s)
PID:3512 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA0F4.tmp"4⤵
- Creates scheduled task(s)
PID:1524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
810B
MD57a4a84f4d2df1fe011638038702dad89
SHA164e9856d95b2064ff51e1c77819c818e6e5b3291
SHA256cfd5734d90e6889355768ae5a723076000d88af2e5b6b435d55fa5bfa3e29590
SHA512cbe9f7724806d161e70a161525c89199e10e6f38ad425533defaa1e02a12bf2cf28cba6788ed68e446cbd4286541e341b55c40133c134f9fcf94cae79b34092d
-
Filesize
1KB
MD5776580d2028b74ed89bb21146482bdff
SHA1d1a45290dedde63d8539a2fc8af866b430238bc7
SHA256fbad359469fc6aefb5695d01974f4edf50528f51f80d57b9eb0d8f2f81033cc0
SHA512de084f473db26ce159b639b02e7ffa263ae5b6c4c1da9f6932676dae4a6c65f082b1bcac673c45c2e2b84caa06d1860ea6f0545b81fd7b3e4f8fe5e802a160d3
-
Filesize
1KB
MD52f26d92c1eeead3896820e56ec46f6f1
SHA1d95533b61eed7d89e4ada56bc566d60e42ac1f61
SHA25699a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa
SHA5126c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892