Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
262132653358194edf6a20bd6477825b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
262132653358194edf6a20bd6477825b_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
262132653358194edf6a20bd6477825b_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
262132653358194edf6a20bd6477825b
-
SHA1
7f51c6ae16a71abac42ee32f4973250b92839282
-
SHA256
9bbc1ed623d8ff84aed6a4ad000cdf10165a2ead32896aa02b7525c40ffffe3b
-
SHA512
b88b80bdf663f94bd75f3c7ab55805fce229635f9044a8f3aaf0f57405447a0431ecfd71fa8059b524c71d14ac18a3a7a4d7e58bf29af25ba121c4462521f644
-
SSDEEP
49152:IkxOm+7TjsPnztyDMmaf0qC6TuRhB0Cd4Ik0ZD5FJ9X+:IJotyDJTuIRZD5FLX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 262132653358194edf6a20bd6477825b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe -
Modifies boot configuration data using bcdedit 1 IoCs
pid Process 3432 bcdedit.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00080000000232a2-109.dat autoit_exe behavioral2/memory/1188-114-0x00007FF763640000-0x00007FF76387A000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 262132653358194edf6a20bd6477825b_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2:Win32_ShadowCopy 262132653358194edf6a20bd6477825b_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 262132653358194edf6a20bd6477825b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeBackupPrivilege 3432 bcdedit.exe Token: SeRestorePrivilege 3432 bcdedit.exe Token: SeRestorePrivilege 3432 bcdedit.exe Token: SeRestorePrivilege 3432 bcdedit.exe Token: SeBackupPrivilege 1080 vssvc.exe Token: SeRestorePrivilege 1080 vssvc.exe Token: SeAuditPrivilege 1080 vssvc.exe Token: SeRestorePrivilege 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe Token: SeBackupPrivilege 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 180 262132653358194edf6a20bd6477825b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1188 wrote to memory of 4200 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 89 PID 1188 wrote to memory of 4200 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 89 PID 1188 wrote to memory of 4544 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 91 PID 1188 wrote to memory of 4544 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 91 PID 4544 wrote to memory of 3432 4544 cmd.exe 93 PID 4544 wrote to memory of 3432 4544 cmd.exe 93 PID 1188 wrote to memory of 180 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 106 PID 1188 wrote to memory of 180 1188 262132653358194edf6a20bd6477825b_JaffaCakes118.exe 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo 22⤵PID:4200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD2⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD3⤵
- Modifies boot configuration data using bcdedit
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
-
C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:180
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:4392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11B
MD5e2745b02d17175b9b46412c83b8b2b4f
SHA1fe0facf9afe5a68723515feba8452ed2837f61d4
SHA256047d80578830db380f60e70ad8ab56d32cb5dd5d5c0a3a90ec70ab85df7b7c86
SHA512bc7a54af98c9a72bbbab08bbbf7d431fccdcca85582833459e9172610d67e307ed8ee872c473336f4ff3858c1c43edc61a2aa87ca2334019f62a2c53ba9095d2
-
Filesize
2.2MB
MD51e77764884338aeb8ace7b631adb2426
SHA1dc28b7e5f5836f6ffa38b219c526c1f0aced62dd
SHA256664e0fe460295aacf2dfd8148c32ce86e79ff2780a1952fc1fba4aa06ca13423
SHA5123a97143703e25d6f5b3e93c71555719a6fc7485c15ce244a4d7b052c80497ed27cf72d5f173cfb76cad11422f96dac214639867e73d65b8fd8ddb3343c84fab4
-
Filesize
4.2MB
MD54733474f42440e1a1c52861e89b5a94c
SHA1359b7ef7c876df294e105e44f5c1e3e916c8766a
SHA256a913857191e4a9ca7f57249a3d7508a57261d16ad9bc4ca3f2cc0dbe136cbb80
SHA5126c05670259bf359c7d7f6a9e3cf3b1d2d0460f5d6a8fdb6b373808536c20a639a0f4bb1ae21271d45676565c05113e28f0971ba9c86522fa12d72b68d9c6f20a
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
299B
MD55ae8478af8dd6eec7ad4edf162dd3df1
SHA155670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD57fa51e4d0959c08d365baf6baca2bfd0
SHA1b3daf02c29f10ed5b533003480fab2d8cca195f2
SHA256ce6d77b0dd70c85036779d67d0509703f02aa779348ca0c515b79295429a4585
SHA51251c9d2bb343fc107876ab4de1a7012d5f5598da5b35e2085923508baee0d889764ed3338a66cb2a218fc0013a17dde05e3eac861185c50347f4481277fc1b1e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize192B
MD5dcc07c47d71461533f39173e5a972996
SHA1d36afa651b0ccad33562aa036706aaa6c9ef035d
SHA256ca3abd901a8e8779863575b3a2ae51784da38e7b1401e7d2f81ab9285f27a6e6
SHA512a9bb7915289b8c07c5c9fb140b4c7b6f629f74519a2463c20140f965f8bbbbb9b5bbfe7c9f273725a4d8edf8e3733270f594f6c10c7f7db5a4c349e08395ddd6
-
Filesize
2.3MB
MD5120f574ee9576a25c66d15e092e342ce
SHA184e65506eb6f0f02b069c9e323b647af957484f5
SHA256181b6f58321032cbbef46e672238268f91eb2dec2ec1762f2510ca42098b049e
SHA512119ce0dc5e1778e1b200869866f761fc71125617d31bf0426edc81ea883824597996b8c57197c683fc487426d9512530bd4b78076ac54ee91454022311e0f3af