Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 11:43
Static task
static1
Behavioral task
behavioral1
Sample
6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe
-
Size
633KB
-
MD5
6ad45efb4c6a213a85fe847dc228fcbe
-
SHA1
a2b482b6a9a95efdf086fd6e7604c119a6ab8285
-
SHA256
1538c0ddb80e85c1d2fa97bedacddd09fe087c3e7e76fcd19051ed6e3e2028fd
-
SHA512
ead0663183c0f63cd575bf413543a875be942e1f6316c4216dd91f33ec87dd0627e2a9c31c148dfe7b618f963c64e793ad01803ae7fe7fa82b84eaec656a3791
-
SSDEEP
12288:SEcVL8O4jrAioZX+t4O8vjNUu5JxjV653TxaOW4YizV58+u3GGUqXUQwQ3IQPH:KLlgAiobvZUqJxRmDxDbYEo3DXUxQYyH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exeteles.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation teles.sfx.exe -
Executes dropped EXE 3 IoCs
Processes:
telescrap.exeteles.sfx.exeteles.exepid process 3448 telescrap.exe 2148 teles.sfx.exe 1736 teles.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
teles.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Service = "C:\\Program Files (x86)\\AGP Service\\agpsv.exe" teles.exe -
Processes:
teles.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA teles.exe -
Drops file in Program Files directory 2 IoCs
Processes:
teles.exedescription ioc process File created C:\Program Files (x86)\AGP Service\agpsv.exe teles.exe File opened for modification C:\Program Files (x86)\AGP Service\agpsv.exe teles.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
teles.exepid process 1736 teles.exe 1736 teles.exe 1736 teles.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
teles.exepid process 1736 teles.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
teles.exedescription pid process Token: SeDebugPrivilege 1736 teles.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
telescrap.exepid process 3448 telescrap.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exetelescrap.execmd.execmd.exeteles.sfx.exedescription pid process target process PID 512 wrote to memory of 3448 512 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe telescrap.exe PID 512 wrote to memory of 3448 512 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe telescrap.exe PID 3448 wrote to memory of 4848 3448 telescrap.exe cmd.exe PID 3448 wrote to memory of 4848 3448 telescrap.exe cmd.exe PID 4848 wrote to memory of 380 4848 cmd.exe reg.exe PID 4848 wrote to memory of 380 4848 cmd.exe reg.exe PID 512 wrote to memory of 3408 512 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe cmd.exe PID 512 wrote to memory of 3408 512 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe cmd.exe PID 512 wrote to memory of 3408 512 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe cmd.exe PID 3408 wrote to memory of 2148 3408 cmd.exe teles.sfx.exe PID 3408 wrote to memory of 2148 3408 cmd.exe teles.sfx.exe PID 3408 wrote to memory of 2148 3408 cmd.exe teles.sfx.exe PID 2148 wrote to memory of 1736 2148 teles.sfx.exe teles.exe PID 2148 wrote to memory of 1736 2148 teles.sfx.exe teles.exe PID 2148 wrote to memory of 1736 2148 teles.sfx.exe teles.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6206.tmp\6207.tmp\6208.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exeteles.sfx.exe -p9898 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6206.tmp\6207.tmp\6208.batFilesize
130B
MD578cf128c2c0b024aa9075d038f32c0f9
SHA1ea941836117cb9f6d87a010806bbd5df58bd938a
SHA256bc357caf1b6e8b12c5e257beaa3fe82a7b9ec2f982796ab699c86f8915e72d7e
SHA512d523de37449552b99177cc3b510f068b2b2eeb1f30309d9e99320638e25e842df61357ae031cd2662c43e76c612ed2067e7c6319bf9e2e932793f0d5ee819c08
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.batFilesize
29B
MD57b3bcb606d504b0f4a6c1d94720aa979
SHA12e426175d2bc245d3946e2ba06092b8b969f13c1
SHA2563a957ef77d0f1530721fb6bc305e39d1d1dee2db46008e710eeac2f9a2697929
SHA5125d433ce3621b6039505186d47f29f8f27c5c53ee7eec9e5afaac6916b1d8d9a1af86d6cca3b2387cea012d211254516cabe9002e9ea17f1612890b2b5187af7e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exeFilesize
420KB
MD5cb80b60fe4975dbbbb97bfd2de56bb1e
SHA1b4c05c7999a3f3c12e6275b22a553401ac06caeb
SHA2563bc56bcce1ba72e27832f83f4ce713577e8108db41ffc2e27a33d2e7fb9e41df
SHA51280b811d5c05b07f3681883cd54a31dc18edf4abfc83a33c7fbf18a1cf3fc100e5d525b67f4c62de835de21791599c0e382b365a11badbfb383835cf814c07f24
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exeFilesize
121KB
MD5b4f5373a0c13a6b4598c8ed404a6bdae
SHA14a5cd535c4057acd1b7ed901d59ec6b2e76db6c9
SHA2565aefc2e98446c1204ae1d6dfa5136488e3a1ef96ec62f3df1d8d0db68e9ea061
SHA51229564e027aed141647660082ee12b56ecb43c9e3ac3785c7ff6f86a1a9f22aab2bc88a863f008b76856d5d17c0ebe89d6d34d332de96d7fba7ab13cf17df6d2d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exeFilesize
203KB
MD5a2d1b1113d184205eed4835bf0cb06c6
SHA11b5775e187665f7c9131aee29c0daa4c3de43eb7
SHA256fa82a26a7fcd1cd76fb893725f93aeaf878f033cbeda11f9d887972a36741e01
SHA512182ba9d014e8434e5ea4154fd85239b768b7d126c8af4ed15c395bf40194e1df2eddba9ca9e4d753efdf7907d19388a2e974a5149838bae8112276c6632703e4