Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 05:24
Behavioral task
behavioral1
Sample
83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe
-
Size
29KB
-
MD5
83272ae366111201b532f0c5f22a6fe7
-
SHA1
7bf1f65586685bea1e0398c582968082728ade0e
-
SHA256
dacab3f01eaf2e8c59256124dc47ab03d472a46739918f707f752d9c8d473c1e
-
SHA512
5de81da902a88ce424684dbe6564c280378165b0399f17c40cf939298c7708d840a0a06dbfb08ea19c94529fd326e1e542f50acb81aebb3643271d80c3de94bc
-
SSDEEP
768:67JEWe4PVzdmBRbqELeuBKh0p29SgROu:67JbhmBRblrKhG29jOu
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2264 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
Windows Defender.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07db318145681dc5e0cbb8c76a1a4fa9.exe Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07db318145681dc5e0cbb8c76a1a4fa9.exe Windows Defender.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows Defender.exepid process 3232 Windows Defender.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Windows Defender.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\07db318145681dc5e0cbb8c76a1a4fa9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender.exe\" .." Windows Defender.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\07db318145681dc5e0cbb8c76a1a4fa9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender.exe\" .." Windows Defender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
Windows Defender.exepid process 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe 3232 Windows Defender.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Defender.exedescription pid process Token: SeDebugPrivilege 3232 Windows Defender.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exeWindows Defender.exedescription pid process target process PID 1416 wrote to memory of 3232 1416 83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe Windows Defender.exe PID 1416 wrote to memory of 3232 1416 83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe Windows Defender.exe PID 1416 wrote to memory of 3232 1416 83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe Windows Defender.exe PID 3232 wrote to memory of 2264 3232 Windows Defender.exe netsh.exe PID 3232 wrote to memory of 2264 3232 Windows Defender.exe netsh.exe PID 3232 wrote to memory of 2264 3232 Windows Defender.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4180,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:81⤵PID:4744
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD583272ae366111201b532f0c5f22a6fe7
SHA17bf1f65586685bea1e0398c582968082728ade0e
SHA256dacab3f01eaf2e8c59256124dc47ab03d472a46739918f707f752d9c8d473c1e
SHA5125de81da902a88ce424684dbe6564c280378165b0399f17c40cf939298c7708d840a0a06dbfb08ea19c94529fd326e1e542f50acb81aebb3643271d80c3de94bc