Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe
-
Size
879KB
-
MD5
5aa3e5eafe9fe3da717d5996a830cd14
-
SHA1
5c6bb95199209778cb31a710cdcb4a48aeeb3e6e
-
SHA256
668bfc84804f44313ed60e9a4f06eeeedbc009f779f620673025f54cf1d7ac02
-
SHA512
ccd855646dad4b561556818592c863079f55aa8b82935c75b6d7fbc3358e9107cdef6e39802988fc897410b499073014e09a608fc36b2923ed05019096851f7d
-
SSDEEP
12288:68XrFMOLZBoEL2R0SSDGootOCA/OR2AyBf7xXsXdV+Tf/6SHNGSsf9g2Q0jC+/f1:68Xr+EJL2RkDGOHOEZfN8Sj/9dmx2+V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
FB_FCB0.tmp.exe20mcos.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" FB_FCB0.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" FB_FCB0.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" 20mcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" 20mcos.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
FB_FCB0.tmp.exe20mcos.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" FB_FCB0.tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 20mcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" 20mcos.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run FB_FCB0.tmp.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FB_FCB0.tmp.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation FB_FCB0.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
FB_FB96.tmp.exeFB_FCB0.tmp.exe20mcos.exepid process 1624 FB_FB96.tmp.exe 2436 FB_FCB0.tmp.exe 4532 20mcos.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exeFB_FCB0.tmp.exe20mcos.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" FB_FCB0.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" FB_FCB0.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" 20mcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" 20mcos.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
FB_FCB0.tmp.exe20mcos.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ FB_FCB0.tmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 20mcos.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe20mcos.exedescription pid process target process PID 4332 set thread context of 60 4332 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 4532 set thread context of 1628 4532 20mcos.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
FB_FCB0.tmp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings FB_FCB0.tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1628 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1628 iexplore.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
iexplore.exepid process 1628 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1628 iexplore.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exediskperf.exeFB_FCB0.tmp.exeWScript.execmd.exe20mcos.exedescription pid process target process PID 4332 wrote to memory of 60 4332 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 4332 wrote to memory of 60 4332 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 4332 wrote to memory of 60 4332 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 4332 wrote to memory of 60 4332 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 4332 wrote to memory of 60 4332 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 60 wrote to memory of 1624 60 diskperf.exe FB_FB96.tmp.exe PID 60 wrote to memory of 1624 60 diskperf.exe FB_FB96.tmp.exe PID 60 wrote to memory of 1624 60 diskperf.exe FB_FB96.tmp.exe PID 60 wrote to memory of 2436 60 diskperf.exe FB_FCB0.tmp.exe PID 60 wrote to memory of 2436 60 diskperf.exe FB_FCB0.tmp.exe PID 60 wrote to memory of 2436 60 diskperf.exe FB_FCB0.tmp.exe PID 2436 wrote to memory of 2784 2436 FB_FCB0.tmp.exe WScript.exe PID 2436 wrote to memory of 2784 2436 FB_FCB0.tmp.exe WScript.exe PID 2436 wrote to memory of 2784 2436 FB_FCB0.tmp.exe WScript.exe PID 2784 wrote to memory of 3740 2784 WScript.exe cmd.exe PID 2784 wrote to memory of 3740 2784 WScript.exe cmd.exe PID 2784 wrote to memory of 3740 2784 WScript.exe cmd.exe PID 3740 wrote to memory of 4532 3740 cmd.exe 20mcos.exe PID 3740 wrote to memory of 4532 3740 cmd.exe 20mcos.exe PID 3740 wrote to memory of 4532 3740 cmd.exe 20mcos.exe PID 4532 wrote to memory of 1628 4532 20mcos.exe iexplore.exe PID 4532 wrote to memory of 1628 4532 20mcos.exe iexplore.exe PID 4532 wrote to memory of 1628 4532 20mcos.exe iexplore.exe PID 4532 wrote to memory of 1628 4532 20mcos.exe iexplore.exe PID 4532 wrote to memory of 1628 4532 20mcos.exe iexplore.exe PID 4532 wrote to memory of 1628 4532 20mcos.exe iexplore.exe PID 4532 wrote to memory of 1628 4532 20mcos.exe iexplore.exe PID 4532 wrote to memory of 1628 4532 20mcos.exe iexplore.exe PID 4532 wrote to memory of 1628 4532 20mcos.exe iexplore.exe PID 4532 wrote to memory of 1628 4532 20mcos.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Local\Temp\FB_FB96.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_FB96.tmp.exe"3⤵
- Executes dropped EXE
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\FB_FCB0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_FCB0.tmp.exe"3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\20mcos\20mcos.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Roaming\20mcos\20mcos.exeC:\Users\Admin\AppData\Roaming\20mcos\20mcos.exe6⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"7⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD574bafb3e707c7b0c63938ac200f99c7f
SHA110c5506337845ed9bf25c73d2506f9c15ab8e608
SHA256129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689
SHA5125b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781
-
Filesize
124KB
MD5663817126bcbfb5363e1ccf899d7e25c
SHA1a4ddb193cc750325dc01817966a29b77fbde88c4
SHA256f08db58c7ae0bf65ecf99e1bb5c1576692172ee59ba2c8f6bfda8580ca443a06
SHA512b28f7b6b09694e621baac7d02a873fb6775e90b6d1a04acf36d8b94aa49d3b042114c396ef5aff95af4e40c777399a2999a023373d2011fbfaf8c59b91751b7e
-
Filesize
552B
MD5beb6898a23e3ec9bf013bac14f601daf
SHA13137d43d5f5add5517dc9db02482a6fe965b8e0d
SHA256875ef0f499ebce8f9381c8fcdc6140c9daa10efff86076682a8e8f9f05b6e63c
SHA5123abc30353f8baf847b226aebb48b11d0e34930a11c40a0a22513a6d6176fbf7ca84a884fd6e2d93af0d9010515c1ade51e5f6aea12cf1ed70ec56c4a7aacda32
-
Filesize
117B
MD54d10ff778c0db3c328f4d554105ad447
SHA13e967f220d0d7eb8ff31169dc63cbee3184b972e
SHA256c7d1fcad547fa014b9f486bc72c01a5fe40ff68f0238da7f76df8f9944bd0029
SHA512705a563d1d09ae2fb059027fe48ef2e25c7240304acbc21e61bf36720b501509f2b0065c62b525e9d8edbc524986253856f77d8be0758be220da41397bf12761