Overview
overview
7Static
static
31f40c4422f...18.exe
windows7-x64
71f40c4422f...18.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3iconAnimate.exe
windows7-x64
1iconAnimate.exe
windows10-2004-x64
1iconTips.exe
windows7-x64
1iconTips.exe
windows10-2004-x64
1uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3yj_dtsk.exe
windows7-x64
1yj_dtsk.exe
windows10-2004-x64
1Analysis
-
max time kernel
136s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
iconAnimate.exe
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
iconAnimate.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
iconTips.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
iconTips.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
uninst.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
uninst.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240215-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral27
Sample
yj_dtsk.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
yj_dtsk.exe
Resource
win10v2004-20240419-en
General
-
Target
1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
1f40c4422ffff18c554b7313d3a8df60
-
SHA1
ee5b7c88fea14731be96a3ccc05d4cd655f54ed1
-
SHA256
30ef369d154a2d3bf33e28940ecfddf8a0194b4f4e7128571b643044556bbb70
-
SHA512
d0229224f75e01cb8d4599d4a2961fce64188165aeaffc9206ad6f9e3e677e90424971b72f87ea052bdcfc9a9ee515bafea759396d5127d2615a5fa432b1b533
-
SSDEEP
24576:KYiAos7FQQ03tyjhtueZwGnFCEBEc168tar8vG5Mq8WpdR0y06cQCEW:viAos7FQQRjrugjnF5tre5Mq8WpdRJ0H
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
pid Process 516 yj_dtsk.exe 2800 yj_dtsk.exe 1804 yj_dtsk.exe 548 yj_dtsk.exe -
Loads dropped DLL 3 IoCs
pid Process 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 yj_dtsk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe 548 yj_dtsk.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 516 yj_dtsk.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2800 yj_dtsk.exe 2800 yj_dtsk.exe 1804 yj_dtsk.exe 1804 yj_dtsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3420 wrote to memory of 2800 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 87 PID 3420 wrote to memory of 2800 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 87 PID 3420 wrote to memory of 2800 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 87 PID 3420 wrote to memory of 516 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 88 PID 3420 wrote to memory of 516 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 88 PID 3420 wrote to memory of 516 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 88 PID 3420 wrote to memory of 1804 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 89 PID 3420 wrote to memory of 1804 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 89 PID 3420 wrote to memory of 1804 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 89 PID 3420 wrote to memory of 548 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 90 PID 3420 wrote to memory of 548 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 90 PID 3420 wrote to memory of 548 3420 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" SW_SHOWNORMAL2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /ShowDeskTop2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:516
-
-
C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /autorun /setuprun2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1804
-
-
C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /setupsucc2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58614c450637267afacad1645e23ba24a
SHA1e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA2560fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
422B
MD5152d7eb5f41a46a5bd348a990987d932
SHA1714d6a87a0abd8a455f5825f5a6029a8c4de4b4a
SHA2564d7d96a4e7d18bd237b579f0a3e36e73cf2e2e0504497c8df8306a0903d115c5
SHA5128b81a15c2bdd0ed537ae6e55d78206f8f7d2c8d0e0befbc3643c66c666e0220c610d13d47349efde563ecf4173626e0aa6104e4ff52166e027d7699e14fb8127
-
Filesize
454B
MD50abdd761eb06aa596b1809360d5292ec
SHA1d1cc92ca8859d936dd3516200f355164d584436d
SHA2567bcf17229b288193713ddb69c1c4e89246f1e4105fdab6d6ea0a1a668429d136
SHA512a3e5b71a3c290658bf310ea07a1e262d575961b19f63b4a36baa45e43776382c3450e2360ade57d36adff1f35a7b5af0ed6f988259fa45ca2efcb1a5bbfced5e
-
Filesize
391B
MD579833079e022c9ec09974a780083b68f
SHA1a640dd52a3722a0e4be42c2789245d4a1d251d1c
SHA256e415657883d27b1268f301948188906856a1998ef49b72f215cc474e331dbef3
SHA5128494f2c99631c36e5d9f7e40423b9469e78198076eec6a443c219d30380e84fd298fb45ea03989c630a2297d7c4324c9a861695988740b18908720a8f0bd7bbf
-
Filesize
1.2MB
MD5ebeb1bb919543b07d57aabb96c331e27
SHA106c1857f7cbb76ce01b6b1ea9a1bf8fc4538b2c9
SHA25668538e5ab408445b3b73158a40ea6e9b1bada7e874a7c4b3bbf3b48568e9a676
SHA51239d13db5ad0b17e16a9db56b3294cc7c0f66d79ab64d69d796dd005963f6f1a33000b1f306b7a59b2cd3525f9a41b7f192748837498123ad0ee54903c19817b2