Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 01:29
Behavioral task
behavioral1
Sample
85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe
-
Size
37KB
-
MD5
85972855ff977c521b1a717a32593fdd
-
SHA1
b0144dfb8130083922e35b70152edd83739359a9
-
SHA256
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
-
SHA512
1c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
-
SSDEEP
384:k4qBkiyjnDNGRn5IyUvapIrPbh+/VsIFzbrAF+rMRTyN/0L+EcoinblneHQM3epa:v35M5jUvairANsItrM+rMRa8NuaPt
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3308 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
85972855ff977c521b1a717a32593fdd_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47f152bbb0d9981b492589085b7b7e18.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47f152bbb0d9981b492589085b7b7e18.exe svhost.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3112 svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\47f152bbb0d9981b492589085b7b7e18 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\47f152bbb0d9981b492589085b7b7e18 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
svhost.exedescription ioc process File created F:\autorun.inf svhost.exe File opened for modification F:\autorun.inf svhost.exe File created C:\autorun.inf svhost.exe File opened for modification C:\autorun.inf svhost.exe File created D:\autorun.inf svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2876 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhost.exepid process 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe 3112 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 3112 svhost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
svhost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3112 svhost.exe Token: SeDebugPrivilege 2876 taskkill.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe Token: 33 3112 svhost.exe Token: SeIncBasePriorityPrivilege 3112 svhost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
85972855ff977c521b1a717a32593fdd_JaffaCakes118.exesvhost.exedescription pid process target process PID 2672 wrote to memory of 3112 2672 85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe svhost.exe PID 2672 wrote to memory of 3112 2672 85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe svhost.exe PID 2672 wrote to memory of 3112 2672 85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe svhost.exe PID 3112 wrote to memory of 3308 3112 svhost.exe netsh.exe PID 3112 wrote to memory of 3308 3112 svhost.exe netsh.exe PID 3112 wrote to memory of 3308 3112 svhost.exe netsh.exe PID 3112 wrote to memory of 2876 3112 svhost.exe taskkill.exe PID 3112 wrote to memory of 2876 3112 svhost.exe taskkill.exe PID 3112 wrote to memory of 2876 3112 svhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svhost.exe"C:\Users\Admin\svhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\svhost.exeFilesize
37KB
MD585972855ff977c521b1a717a32593fdd
SHA1b0144dfb8130083922e35b70152edd83739359a9
SHA2564b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
SHA5121c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
-
memory/2672-0-0x0000000075542000-0x0000000075543000-memory.dmpFilesize
4KB
-
memory/2672-1-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB
-
memory/2672-2-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB
-
memory/2672-21-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB
-
memory/3112-22-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB
-
memory/3112-23-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB
-
memory/3112-33-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB