9bbc1ed623d8ff84aed6a4ad000cdf10165a2ead32896aa02b7525c40ffffe3b

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

262132653358194edf6a20bd6477825b_JaffaCakes118.exe
Size

2.2MB
MD5

262132653358194edf6a20bd6477825b
SHA1

7f51c6ae16a71abac42ee32f4973250b92839282
SHA256

9bbc1ed623d8ff84aed6a4ad000cdf10165a2ead32896aa02b7525c40ffffe3b
SHA512

b88b80bdf663f94bd75f3c7ab55805fce229635f9044a8f3aaf0f57405447a0431ecfd71fa8059b524c71d14ac18a3a7a4d7e58bf29af25ba121c4462521f644
SSDEEP

49152:IkxOm+7TjsPnztyDMmaf0qC6TuRhB0Cd4Ik0ZD5FJ9X+:IJotyDJTuIRZD5FLX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	262132653358194edf6a20bd6477825b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
3432	bcdedit.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00080000000232a2-109.dat	autoit_exe
behavioral2/memory/1188-114-0x00007FF763640000-0x00007FF76387A000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2:Win32_ShadowCopy	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	262132653358194edf6a20bd6477825b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeBackupPrivilege	3432	bcdedit.exe
Token: SeRestorePrivilege	3432	bcdedit.exe
Token: SeRestorePrivilege	3432	bcdedit.exe
Token: SeRestorePrivilege	3432	bcdedit.exe
Token: SeBackupPrivilege	1080	vssvc.exe
Token: SeRestorePrivilege	1080	vssvc.exe
Token: SeAuditPrivilege	1080	vssvc.exe
Token: SeRestorePrivilege	1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
Token: SeBackupPrivilege	1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe
180	262132653358194edf6a20bd6477825b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 4200	1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe	89
PID 1188 wrote to memory of 4200	1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe	89
PID 1188 wrote to memory of 4544	1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe	91
PID 1188 wrote to memory of 4544	1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe	91
PID 4544 wrote to memory of 3432	4544	cmd.exe	93
PID 4544 wrote to memory of 3432	4544	cmd.exe	93
PID 1188 wrote to memory of 180	1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe	106
PID 1188 wrote to memory of 180	1188	262132653358194edf6a20bd6477825b_JaffaCakes118.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo 2
  2⤵
  PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\system32\bcdedit.exe
    C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
    3⤵
    - Modifies boot configuration data using bcdedit
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FRST\Logs\up64

Filesize
11B

MD5
e2745b02d17175b9b46412c83b8b2b4f

SHA1
fe0facf9afe5a68723515feba8452ed2837f61d4

SHA256
047d80578830db380f60e70ad8ab56d32cb5dd5d5c0a3a90ec70ab85df7b7c86

SHA512
bc7a54af98c9a72bbbab08bbbf7d431fccdcca85582833459e9172610d67e307ed8ee872c473336f4ff3858c1c43edc61a2aa87ca2334019f62a2c53ba9095d2

Download Submit
C:\FRST\m9Ek0Wc1Xq2L\NTUSER.DAT

Filesize
2.2MB

MD5
1e77764884338aeb8ace7b631adb2426

SHA1
dc28b7e5f5836f6ffa38b219c526c1f0aced62dd

SHA256
664e0fe460295aacf2dfd8148c32ce86e79ff2780a1952fc1fba4aa06ca13423

SHA512
3a97143703e25d6f5b3e93c71555719a6fc7485c15ce244a4d7b052c80497ed27cf72d5f173cfb76cad11422f96dac214639867e73d65b8fd8ddb3343c84fab4

Download Submit
C:\FRST\m9Ek0Wc1Xq2L\UsrClass.dat

Filesize
4.2MB

MD5
4733474f42440e1a1c52861e89b5a94c

SHA1
359b7ef7c876df294e105e44f5c1e3e916c8766a

SHA256
a913857191e4a9ca7f57249a3d7508a57261d16ad9bc4ca3f2cc0dbe136cbb80

SHA512
6c05670259bf359c7d7f6a9e3cf3b1d2d0460f5d6a8fdb6b373808536c20a639a0f4bb1ae21271d45676565c05113e28f0971ba9c86522fa12d72b68d9c6f20a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
7fa51e4d0959c08d365baf6baca2bfd0

SHA1
b3daf02c29f10ed5b533003480fab2d8cca195f2

SHA256
ce6d77b0dd70c85036779d67d0509703f02aa779348ca0c515b79295429a4585

SHA512
51c9d2bb343fc107876ab4de1a7012d5f5598da5b35e2085923508baee0d889764ed3338a66cb2a218fc0013a17dde05e3eac861185c50347f4481277fc1b1e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
dcc07c47d71461533f39173e5a972996

SHA1
d36afa651b0ccad33562aa036706aaa6c9ef035d

SHA256
ca3abd901a8e8779863575b3a2ae51784da38e7b1401e7d2f81ab9285f27a6e6

SHA512
a9bb7915289b8c07c5c9fb140b4c7b6f629f74519a2463c20140f965f8bbbbb9b5bbfe7c9f273725a4d8edf8e3733270f594f6c10c7f7db5a4c349e08395ddd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\262132653358194edf6a20bd6477825b_JaffaCakes118.exe

Filesize
2.3MB

MD5
120f574ee9576a25c66d15e092e342ce

SHA1
84e65506eb6f0f02b069c9e323b647af957484f5

SHA256
181b6f58321032cbbef46e672238268f91eb2dec2ec1762f2510ca42098b049e

SHA512
119ce0dc5e1778e1b200869866f761fc71125617d31bf0426edc81ea883824597996b8c57197c683fc487426d9512530bd4b78076ac54ee91454022311e0f3af

Download Submit
memory/1188-114-0x00007FF763640000-0x00007FF76387A000-memory.dmp

Filesize
2.2MB

Download