Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 09:37
Behavioral task
behavioral1
Sample
80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exe
-
Size
23KB
-
MD5
80496ed45fd4d93eb47080a991bd5f7b
-
SHA1
aa599254505a2815f01bd1ef934798507d0360d6
-
SHA256
01b836a07d7ca886f4124815d2e26a7c6e4b710e2e2297a43d30a61521b36cea
-
SHA512
77ee2a39a2c0b6d46e0a2ac43319d45383ac2494a83a226f434425118bb76d6c3331606f5183ec6144d180914800131368f5b26783e3dbeaf3fa66ec2bf1427b
-
SSDEEP
384:m9LGxbWRa4Loa1MplQSmucW+EQ6Sg8KtTfyrqmRvR6JZlbw8hqIusZzZlrGz:3xbZailz7YRpcnusrG
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4532 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
knsas.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dcb969badc3b461494cd40fa378bcfe5.exe knsas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dcb969badc3b461494cd40fa378bcfe5.exe knsas.exe -
Executes dropped EXE 1 IoCs
Processes:
knsas.exepid process 2016 knsas.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
knsas.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dcb969badc3b461494cd40fa378bcfe5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\knsas.exe\" .." knsas.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dcb969badc3b461494cd40fa378bcfe5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\knsas.exe\" .." knsas.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
knsas.exedescription pid process Token: SeDebugPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe Token: 33 2016 knsas.exe Token: SeIncBasePriorityPrivilege 2016 knsas.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exeknsas.exedescription pid process target process PID 732 wrote to memory of 2016 732 80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exe knsas.exe PID 732 wrote to memory of 2016 732 80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exe knsas.exe PID 732 wrote to memory of 2016 732 80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exe knsas.exe PID 2016 wrote to memory of 4532 2016 knsas.exe netsh.exe PID 2016 wrote to memory of 4532 2016 knsas.exe netsh.exe PID 2016 wrote to memory of 4532 2016 knsas.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\AppData\Local\Temp\knsas.exe"C:\Users\Admin\AppData\Local\Temp\knsas.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\knsas.exe" "knsas.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:81⤵PID:4396
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD580496ed45fd4d93eb47080a991bd5f7b
SHA1aa599254505a2815f01bd1ef934798507d0360d6
SHA25601b836a07d7ca886f4124815d2e26a7c6e4b710e2e2297a43d30a61521b36cea
SHA51277ee2a39a2c0b6d46e0a2ac43319d45383ac2494a83a226f434425118bb76d6c3331606f5183ec6144d180914800131368f5b26783e3dbeaf3fa66ec2bf1427b