Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 02:36
Behavioral task
behavioral1
Sample
65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exe
-
Size
23KB
-
MD5
65b6faaeae4305f6c648465eed531f63
-
SHA1
3ebdd9346972b7e1f0ab61e9eeb004d4c3bfd8f0
-
SHA256
7fb87752aa967175954cabb56e4aac86abb5d8fc9d4f2ae4b3ec5a272ac66d7e
-
SHA512
d587552556dc5d6d8d70cc4abc89f62ac9f187edc890180f9675412e1ec06cb4f5e2a88fe39273f7e73cca10597b9243b7a59484a8d22cf745b5574f6b5bc837
-
SSDEEP
384:Qc6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZVa65:Ee9EJLN/yRpcnuK
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 5052 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
google.exepid process 3528 google.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
google.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e40ea9a7a3b853de9c126097dc3606ed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\google.exe\" .." google.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e40ea9a7a3b853de9c126097dc3606ed = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\google.exe\" .." google.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
google.exedescription pid process Token: SeDebugPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe Token: 33 3528 google.exe Token: SeIncBasePriorityPrivilege 3528 google.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exegoogle.exedescription pid process target process PID 4268 wrote to memory of 3528 4268 65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exe google.exe PID 4268 wrote to memory of 3528 4268 65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exe google.exe PID 4268 wrote to memory of 3528 4268 65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exe google.exe PID 3528 wrote to memory of 5052 3528 google.exe netsh.exe PID 3528 wrote to memory of 5052 3528 google.exe netsh.exe PID 3528 wrote to memory of 5052 3528 google.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65b6faaeae4305f6c648465eed531f63_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\google.exe"C:\Users\Admin\AppData\Local\Temp\google.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\google.exe" "google.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\google.exeFilesize
23KB
MD565b6faaeae4305f6c648465eed531f63
SHA13ebdd9346972b7e1f0ab61e9eeb004d4c3bfd8f0
SHA2567fb87752aa967175954cabb56e4aac86abb5d8fc9d4f2ae4b3ec5a272ac66d7e
SHA512d587552556dc5d6d8d70cc4abc89f62ac9f187edc890180f9675412e1ec06cb4f5e2a88fe39273f7e73cca10597b9243b7a59484a8d22cf745b5574f6b5bc837
-
memory/3528-13-0x0000000074CB0000-0x0000000075261000-memory.dmpFilesize
5.7MB
-
memory/3528-14-0x0000000074CB0000-0x0000000075261000-memory.dmpFilesize
5.7MB
-
memory/3528-15-0x0000000074CB0000-0x0000000075261000-memory.dmpFilesize
5.7MB
-
memory/4268-0-0x0000000074CB2000-0x0000000074CB3000-memory.dmpFilesize
4KB
-
memory/4268-1-0x0000000074CB0000-0x0000000075261000-memory.dmpFilesize
5.7MB
-
memory/4268-2-0x0000000074CB0000-0x0000000075261000-memory.dmpFilesize
5.7MB
-
memory/4268-12-0x0000000074CB0000-0x0000000075261000-memory.dmpFilesize
5.7MB