Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
5c6ffc40f7317121749686b8f80063e0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5c6ffc40f7317121749686b8f80063e0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5c6ffc40f7317121749686b8f80063e0_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
5c6ffc40f7317121749686b8f80063e0
-
SHA1
624e75617f155b1cebcc886555b613bead0b64a3
-
SHA256
8c2d113dd13a397383db160c188c3f1119b7c1e5af6bcd79f28987aa82cbed8b
-
SHA512
5b84d44f2ceb34d9cac6601fc3ac678b1399750f34b75679138d06479c8ad0c9c7ef11fd368a505aeb95bcda96754c2ba9b7af6374711eb79945af9ab593c833
-
SSDEEP
24576:hb1JC//wbZ1J/4iYsAGDAlR8guX7w5xxa/wzJPQnIEyBMNgVLUtfKxKvbaPDFZkp:5Wox4SEMf7RYDEWLvAb8FUi4fM6+Nc
Malware Config
Signatures
-
BitRAT payload 15 IoCs
resource yara_rule behavioral2/memory/3008-31-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-32-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-33-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-35-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-37-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-36-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-38-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-39-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-41-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-40-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-43-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-45-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-44-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-48-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat behavioral2/memory/3008-47-0x0000000000400000-0x00000000007CF000-memory.dmp family_bitrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 5c6ffc40f7317121749686b8f80063e0_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 1728 Itizhf.exe 436 Itizhf.exe 3008 Itizhf.exe -
resource yara_rule behavioral2/memory/3008-31-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-32-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-30-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-27-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-33-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-35-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-37-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-36-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-38-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-39-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-41-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-40-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-43-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-45-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-44-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-48-0x0000000000400000-0x00000000007CF000-memory.dmp upx behavioral2/memory/3008-47-0x0000000000400000-0x00000000007CF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Cihiy = "C:\\Users\\Admin\\AppData\\Roaming\\ichiwi\\Cihiy.url" Itizhf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 3008 Itizhf.exe 3008 Itizhf.exe 3008 Itizhf.exe 3008 Itizhf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1728 set thread context of 3008 1728 Itizhf.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1728 Itizhf.exe 1728 Itizhf.exe 1728 Itizhf.exe 1728 Itizhf.exe 1728 Itizhf.exe 1728 Itizhf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1728 Itizhf.exe Token: SeShutdownPrivilege 3008 Itizhf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3008 Itizhf.exe 3008 Itizhf.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1728 1500 5c6ffc40f7317121749686b8f80063e0_JaffaCakes118.exe 93 PID 1500 wrote to memory of 1728 1500 5c6ffc40f7317121749686b8f80063e0_JaffaCakes118.exe 93 PID 1500 wrote to memory of 1728 1500 5c6ffc40f7317121749686b8f80063e0_JaffaCakes118.exe 93 PID 1728 wrote to memory of 436 1728 Itizhf.exe 96 PID 1728 wrote to memory of 436 1728 Itizhf.exe 96 PID 1728 wrote to memory of 436 1728 Itizhf.exe 96 PID 1728 wrote to memory of 5064 1728 Itizhf.exe 99 PID 1728 wrote to memory of 5064 1728 Itizhf.exe 99 PID 1728 wrote to memory of 5064 1728 Itizhf.exe 99 PID 1728 wrote to memory of 3008 1728 Itizhf.exe 100 PID 1728 wrote to memory of 3008 1728 Itizhf.exe 100 PID 1728 wrote to memory of 3008 1728 Itizhf.exe 100 PID 1728 wrote to memory of 3008 1728 Itizhf.exe 100 PID 1728 wrote to memory of 3008 1728 Itizhf.exe 100 PID 1728 wrote to memory of 3008 1728 Itizhf.exe 100 PID 1728 wrote to memory of 3008 1728 Itizhf.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c6ffc40f7317121749686b8f80063e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5c6ffc40f7317121749686b8f80063e0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Roaming\ichiwi\Itizhf.exe"C:\Users\Admin\AppData\Roaming\ichiwi\Itizhf.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\ichiwi\Itizhf.exe"C:\Users\Admin\AppData\Roaming\ichiwi\Itizhf.exe"3⤵
- Executes dropped EXE
PID:436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:5064
-
-
C:\Users\Admin\AppData\Roaming\ichiwi\Itizhf.exe"C:\Users\Admin\AppData\Roaming\ichiwi\Itizhf.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD55c6ffc40f7317121749686b8f80063e0
SHA1624e75617f155b1cebcc886555b613bead0b64a3
SHA2568c2d113dd13a397383db160c188c3f1119b7c1e5af6bcd79f28987aa82cbed8b
SHA5125b84d44f2ceb34d9cac6601fc3ac678b1399750f34b75679138d06479c8ad0c9c7ef11fd368a505aeb95bcda96754c2ba9b7af6374711eb79945af9ab593c833