Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 20:02
Behavioral task
behavioral1
Sample
687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exe
-
Size
37KB
-
MD5
687256c30b6bc6d544a7a87db1f1fd63
-
SHA1
c0a94a26040ad562b522052f5776f0ac7fbfcf35
-
SHA256
816b68815e27c0f0599698fcd978526d4e340c91208dd3cd06d88429d99bb91c
-
SHA512
89bfac44e84b1070760b4a9c8b8f4e47d305c2e2709b671dfabbdcfee0c85e37531a33cfed9b578316f47b83c4f0bbf77e9f2fbdafce91eb436b85c7c88238b7
-
SSDEEP
384:S0+6WIiejtCVLO309Qmykrt4QdqMjf+vWEWYrAF+rMRTyN/0L+EcoinblneHQM36:6HdGdkrOGb+eE7rM+rMRa8Nuzvt
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3772 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
hostdll.exepid process 60 hostdll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
hostdll.exedescription pid process Token: SeDebugPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe Token: 33 60 hostdll.exe Token: SeIncBasePriorityPrivilege 60 hostdll.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exehostdll.exedescription pid process target process PID 4988 wrote to memory of 60 4988 687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exe hostdll.exe PID 4988 wrote to memory of 60 4988 687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exe hostdll.exe PID 4988 wrote to memory of 60 4988 687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exe hostdll.exe PID 60 wrote to memory of 3772 60 hostdll.exe netsh.exe PID 60 wrote to memory of 3772 60 hostdll.exe netsh.exe PID 60 wrote to memory of 3772 60 hostdll.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\687256c30b6bc6d544a7a87db1f1fd63_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\hostdll.exe"C:\Users\Admin\AppData\Local\Temp\hostdll.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\hostdll.exe" "hostdll.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hostdll.exeFilesize
37KB
MD5687256c30b6bc6d544a7a87db1f1fd63
SHA1c0a94a26040ad562b522052f5776f0ac7fbfcf35
SHA256816b68815e27c0f0599698fcd978526d4e340c91208dd3cd06d88429d99bb91c
SHA51289bfac44e84b1070760b4a9c8b8f4e47d305c2e2709b671dfabbdcfee0c85e37531a33cfed9b578316f47b83c4f0bbf77e9f2fbdafce91eb436b85c7c88238b7
-
memory/60-13-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB
-
memory/60-14-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB
-
memory/60-15-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB
-
memory/4988-0-0x0000000074B42000-0x0000000074B43000-memory.dmpFilesize
4KB
-
memory/4988-1-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB
-
memory/4988-2-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB
-
memory/4988-12-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB