Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 10:53
Static task
static1
Behavioral task
behavioral1
Sample
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe
-
Size
923KB
-
MD5
807fdc437e03d6c168792b8773e4f73c
-
SHA1
2b593b3505b09aa2a322a8aab3c20161b461dd23
-
SHA256
3401c787e69edb72ca1216677ec2e0adb3c51db92c03dc88fa4f11e046e727d0
-
SHA512
fd4ab96c99c80d8ba23a6dce61471aa2544c2778236bca5f2010d196509e53ca8288cc4f89d79d5b54d90e8da6ab801a0b62e50ca859ea826a4ef17aaeae04d8
-
SSDEEP
12288:SdjX6gJi4/KolPowKqRwzR+3uFnBHR1b536JEDwJ7BYfQphPqfEosRZihYFhyQB6:hQQQwdt1NfZTQ+iilL848
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4880 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exeserver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 3 IoCs
Processes:
Refract's Crypter.exeserver.exeRefract's Crypter.exepid process 3304 Refract's Crypter.exe 1736 server.exe 3492 Refract's Crypter.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exeserver.exepid process 3396 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe 1736 server.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exeserver.exedescription pid process Token: SeDebugPrivilege 3396 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe Token: SeDebugPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe Token: 33 1736 server.exe Token: SeIncBasePriorityPrivilege 1736 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exeserver.exedescription pid process target process PID 3396 wrote to memory of 3304 3396 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe Refract's Crypter.exe PID 3396 wrote to memory of 3304 3396 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe Refract's Crypter.exe PID 3396 wrote to memory of 3304 3396 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe Refract's Crypter.exe PID 3396 wrote to memory of 1736 3396 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe server.exe PID 3396 wrote to memory of 1736 3396 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe server.exe PID 3396 wrote to memory of 1736 3396 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe server.exe PID 1736 wrote to memory of 3492 1736 server.exe Refract's Crypter.exe PID 1736 wrote to memory of 3492 1736 server.exe Refract's Crypter.exe PID 1736 wrote to memory of 3492 1736 server.exe Refract's Crypter.exe PID 1736 wrote to memory of 4880 1736 server.exe netsh.exe PID 1736 wrote to memory of 4880 1736 server.exe netsh.exe PID 1736 wrote to memory of 4880 1736 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Roaming\Refract's Crypter.exe"C:\Users\Admin\AppData\Roaming\Refract's Crypter.exe"2⤵
- Executes dropped EXE
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Roaming\Refract's Crypter.exe"C:\Users\Admin\AppData\Roaming\Refract's Crypter.exe"3⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
923KB
MD5807fdc437e03d6c168792b8773e4f73c
SHA12b593b3505b09aa2a322a8aab3c20161b461dd23
SHA2563401c787e69edb72ca1216677ec2e0adb3c51db92c03dc88fa4f11e046e727d0
SHA512fd4ab96c99c80d8ba23a6dce61471aa2544c2778236bca5f2010d196509e53ca8288cc4f89d79d5b54d90e8da6ab801a0b62e50ca859ea826a4ef17aaeae04d8
-
Filesize
188KB
MD523c6fa4e6b94422381302678a73d5785
SHA17b256feacff6e7fcf84e6b6a17b41b708dd3dafe
SHA256b0b8d725b442e2538fb40fd84cc3e57c27d6d1334160ac2821796d85ec3cb65b
SHA51290661f2cf725f69b7ef06fb22175be80bd71a607e115181e3ba9042adbf4809fd6e424fcbc304c5af5b7cd5d18d06deec2dd98f0ee64c15be0894f936f1d5330
-
Filesize
1KB
MD58ad47ca87e369fe1cbfc72ebe3769cd6
SHA11f1dd4b1ea53685e8f7b7e6c29a16d49918be357
SHA25646ff91e5cd6370fdc14b6ef95497f2b8016cc439b4fe9640b3249190cfa091d5
SHA512a59eeb822a6b9d0a7d12455f01f486cd969710880c379c8d7ba42b371480b2c29fa26989d20c1998bf568224d8131cbb5b7de97c254ca96ac53b6c141d62a412