16adf37262f86f735d64736a65a5fc3d4d6bc8b59761308d9d7d158e31142d23

Analysis

max time kernel
138s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exe
Size

298KB
MD5

693ad4f8f4fb28e4f281bbc6e514e8f3
SHA1

3cb5bb6b20165ab404f9109e6a37d19b76e48a49
SHA256

16adf37262f86f735d64736a65a5fc3d4d6bc8b59761308d9d7d158e31142d23
SHA512

81b90394a7393764013df3d8cc31247018a5700fa111ac34475652d0723f28f84ca16c6b42255f5a419ce9e2bfc6414c39a131ffdbdbbeb00fd367e9bb374012
SSDEEP

6144:F4gKygecqPkZm5hzLf8bJZ7Jp31Q+b5A/oiKs7TLYC0JGRqSw:GpyRcqs85ONZ7Jlu/ovu4C0JFSw

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exeNvGfeService.exenvgfeservice.exeNvGfeService.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	NvGfeService.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	nvgfeservice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	NvGfeService.exe

Executes dropped EXE 8 IoCs

Processes:

NvGfeService.exeNvGfeService.exeNvGfeService.exenvgfeservice.exeNvGfeService.exeNvGfeService.exeNvGfeService.exenvgfeservice.exe

pid	process
3336	NvGfeService.exe
1164	NvGfeService.exe
684	NvGfeService.exe
5100	nvgfeservice.exe
2700	NvGfeService.exe
404	NvGfeService.exe
5000	NvGfeService.exe
3176	nvgfeservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvGfeService.exe = "C:\\Users\\Admin\\AppData\\Roaming\\NvGfeService.exe"	693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

NvGfeService.exeNvGfeService.exe

description	pid	process	target process
PID 3336 set thread context of 684	3336	NvGfeService.exe	NvGfeService.exe
PID 2700 set thread context of 5000	2700	NvGfeService.exe	NvGfeService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

536 PING.EXE
3360 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

NvGfeService.exeNvGfeService.exe

pid process

3336 NvGfeService.exe
3336 NvGfeService.exe
2700 NvGfeService.exe
2700 NvGfeService.exe

pid	process
536	PING.EXE
3360	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

NvGfeService.exeNvGfeService.exeNvGfeService.exeNvGfeService.exe

description	pid	process
Token: SeDebugPrivilege	3336	NvGfeService.exe
Token: SeDebugPrivilege	684	NvGfeService.exe
Token: SeDebugPrivilege	2700	NvGfeService.exe
Token: SeDebugPrivilege	5000	NvGfeService.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exeNvGfeService.exeNvGfeService.execmd.exenvgfeservice.exeNvGfeService.exeNvGfeService.execmd.exe

description	pid	process	target process
PID 2696 wrote to memory of 3336	2696	693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exe	NvGfeService.exe
PID 2696 wrote to memory of 3336	2696	693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exe	NvGfeService.exe
PID 2696 wrote to memory of 3336	2696	693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exe	NvGfeService.exe
PID 3336 wrote to memory of 1164	3336	NvGfeService.exe	NvGfeService.exe
PID 3336 wrote to memory of 1164	3336	NvGfeService.exe	NvGfeService.exe
PID 3336 wrote to memory of 1164	3336	NvGfeService.exe	NvGfeService.exe
PID 3336 wrote to memory of 684	3336	NvGfeService.exe	NvGfeService.exe
PID 3336 wrote to memory of 684	3336	NvGfeService.exe	NvGfeService.exe
PID 3336 wrote to memory of 684	3336	NvGfeService.exe	NvGfeService.exe
PID 3336 wrote to memory of 684	3336	NvGfeService.exe	NvGfeService.exe
PID 3336 wrote to memory of 684	3336	NvGfeService.exe	NvGfeService.exe
PID 3336 wrote to memory of 684	3336	NvGfeService.exe	NvGfeService.exe
PID 3336 wrote to memory of 684	3336	NvGfeService.exe	NvGfeService.exe
PID 3336 wrote to memory of 684	3336	NvGfeService.exe	NvGfeService.exe
PID 684 wrote to memory of 5100	684	NvGfeService.exe	nvgfeservice.exe
PID 684 wrote to memory of 5100	684	NvGfeService.exe	nvgfeservice.exe
PID 684 wrote to memory of 5100	684	NvGfeService.exe	nvgfeservice.exe
PID 684 wrote to memory of 3148	684	NvGfeService.exe	cmd.exe
PID 684 wrote to memory of 3148	684	NvGfeService.exe	cmd.exe
PID 684 wrote to memory of 3148	684	NvGfeService.exe	cmd.exe
PID 3148 wrote to memory of 536	3148	cmd.exe	PING.EXE
PID 3148 wrote to memory of 536	3148	cmd.exe	PING.EXE
PID 3148 wrote to memory of 536	3148	cmd.exe	PING.EXE
PID 5100 wrote to memory of 2700	5100	nvgfeservice.exe	NvGfeService.exe
PID 5100 wrote to memory of 2700	5100	nvgfeservice.exe	NvGfeService.exe
PID 5100 wrote to memory of 2700	5100	nvgfeservice.exe	NvGfeService.exe
PID 2700 wrote to memory of 404	2700	NvGfeService.exe	NvGfeService.exe
PID 2700 wrote to memory of 404	2700	NvGfeService.exe	NvGfeService.exe
PID 2700 wrote to memory of 404	2700	NvGfeService.exe	NvGfeService.exe
PID 2700 wrote to memory of 5000	2700	NvGfeService.exe	NvGfeService.exe
PID 2700 wrote to memory of 5000	2700	NvGfeService.exe	NvGfeService.exe
PID 2700 wrote to memory of 5000	2700	NvGfeService.exe	NvGfeService.exe
PID 2700 wrote to memory of 5000	2700	NvGfeService.exe	NvGfeService.exe
PID 2700 wrote to memory of 5000	2700	NvGfeService.exe	NvGfeService.exe
PID 2700 wrote to memory of 5000	2700	NvGfeService.exe	NvGfeService.exe
PID 2700 wrote to memory of 5000	2700	NvGfeService.exe	NvGfeService.exe
PID 2700 wrote to memory of 5000	2700	NvGfeService.exe	NvGfeService.exe
PID 5000 wrote to memory of 3176	5000	NvGfeService.exe	nvgfeservice.exe
PID 5000 wrote to memory of 3176	5000	NvGfeService.exe	nvgfeservice.exe
PID 5000 wrote to memory of 3176	5000	NvGfeService.exe	nvgfeservice.exe
PID 5000 wrote to memory of 3960	5000	NvGfeService.exe	cmd.exe
PID 5000 wrote to memory of 3960	5000	NvGfeService.exe	cmd.exe
PID 5000 wrote to memory of 3960	5000	NvGfeService.exe	cmd.exe
PID 3960 wrote to memory of 3360	3960	cmd.exe	PING.EXE
PID 3960 wrote to memory of 3360	3960	cmd.exe	PING.EXE
PID 3960 wrote to memory of 3360	3960	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\693ad4f8f4fb28e4f281bbc6e514e8f3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Roaming\NvGfeService.exe
"C:\Users\Admin\AppData\Roaming\NvGfeService.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336

C:\Users\Admin\AppData\Roaming\NvGfeService.exe
"C:\Users\Admin\AppData\Roaming\NvGfeService.exe"
3⤵
- Executes dropped EXE
PID:1164

C:\Users\Admin\AppData\Roaming\NvGfeService.exe
"C:\Users\Admin\AppData\Roaming\NvGfeService.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Roaming\nvgfeservice\nvgfeservice.exe
"C:\Users\Admin\AppData\Roaming\nvgfeservice\nvgfeservice.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Roaming\NvGfeService.exe
"C:\Users\Admin\AppData\Roaming\NvGfeService.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Roaming\NvGfeService.exe
"C:\Users\Admin\AppData\Roaming\NvGfeService.exe"
6⤵
- Executes dropped EXE
PID:404

C:\Users\Admin\AppData\Roaming\NvGfeService.exe
"C:\Users\Admin\AppData\Roaming\NvGfeService.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Roaming\nvgfeservice\nvgfeservice.exe
"C:\Users\Admin\AppData\Roaming\nvgfeservice\nvgfeservice.exe"
7⤵
- Executes dropped EXE
PID:3176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\NvGfeService.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
8⤵
- Runs ping.exe
PID:3360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\NvGfeService.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
5⤵
- Runs ping.exe
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nvgfeservice.exe.log

Filesize
617B

MD5
e07efe3f1e4fcc39483a46d0644e1750

SHA1
083566e513d8090982a8f2d2c57864f7e5eea721

SHA256
d35da5dbc639e94852448d93722de5260388abf8a0a6b80d947d8acf02209617

SHA512
e29fac6efce55130598dd9ca0be18e2934d8ed417087848f4c80c1754312f1dae2eb0fc3e85e58aa11abde23a221bdf8f6b80df3a9acad4891626f667f05b474

Download Submit
C:\Users\Admin\AppData\Roaming\NvGfeService.exe

Filesize
298KB

MD5
693ad4f8f4fb28e4f281bbc6e514e8f3

SHA1
3cb5bb6b20165ab404f9109e6a37d19b76e48a49

SHA256
16adf37262f86f735d64736a65a5fc3d4d6bc8b59761308d9d7d158e31142d23

SHA512
81b90394a7393764013df3d8cc31247018a5700fa111ac34475652d0723f28f84ca16c6b42255f5a419ce9e2bfc6414c39a131ffdbdbbeb00fd367e9bb374012

Download Submit
memory/684-116-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/684-99-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/684-101-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/684-100-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/684-102-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/684-103-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/2696-1-0x0000000000440000-0x0000000000490000-memory.dmp

Filesize
320KB

Download
memory/2696-3-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/2696-2-0x0000000004D10000-0x0000000004DAC000-memory.dmp

Filesize
624KB

Download
memory/2696-0-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/2700-128-0x0000000004EB0000-0x0000000004ED4000-memory.dmp

Filesize
144KB

Download
memory/3336-65-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-49-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-81-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-79-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-77-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-75-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-73-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-71-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-98-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3336-69-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-67-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-19-0x00000000055B0000-0x00000000055D4000-memory.dmp

Filesize
144KB

Download
memory/3336-63-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-61-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-59-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-57-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-55-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-54-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-51-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-84-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-47-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-45-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-18-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3336-43-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-41-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-17-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/3336-39-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-38-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-35-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-33-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-31-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-29-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-27-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-25-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-23-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-21-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-20-0x00000000055B0000-0x00000000055CC000-memory.dmp

Filesize
112KB

Download
memory/3336-16-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download