Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 08:34
Static task
static1
Behavioral task
behavioral1
Sample
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe
-
Size
45KB
-
MD5
9123f76f8eea0532caaf7f688a648ad8
-
SHA1
f7baa0fde28b0e144539ceb0ffcace0563720971
-
SHA256
3bad41bc9d62f8f77adb5907196afbcd6255d3fd731cdbf35817ce3243cf5b8f
-
SHA512
32844f6038ee5ff5088f0f184deb318bbc8fac41e92540b0756653942ca322f8b81395d745da958164c74fe32dd8db226a2e0274147a268e2f781f78ee120c12
-
SSDEEP
768:ccBR6PwZ7UFRZa9R0wHuOviewu6gOTXx7xTDkh6W0rt5fLB8J6aL0vBYHiNG0TB:oEwu6gOzxNS6W0rtdB8JruBYHiG0F
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
HWuDiHL.exepid process 968 HWuDiHL.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anti-Malware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\HWuDiHL.exe" 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2004 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.execsc.exedescription pid process target process PID 2004 wrote to memory of 2656 2004 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe csc.exe PID 2004 wrote to memory of 2656 2004 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe csc.exe PID 2656 wrote to memory of 3456 2656 csc.exe cvtres.exe PID 2656 wrote to memory of 3456 2656 csc.exe cvtres.exe PID 2004 wrote to memory of 968 2004 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe HWuDiHL.exe PID 2004 wrote to memory of 968 2004 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe HWuDiHL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hxv1rcmc\hxv1rcmc.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES512D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3DEE06BD79414CE2A5D1F77CE68150DA.TMP"3⤵PID:3456
-
-
-
C:\Users\Admin\AppData\Local\Temp\HWuDiHL.exe"C:\Users\Admin\AppData\Local\Temp\HWuDiHL.exe"2⤵
- Executes dropped EXE
PID:968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5fe5f8a86882d286fdc62f9afc9fad145
SHA1431084dde371eb64e1d8f33aa3af6638343a4779
SHA256044022b8e00c8f9302aef82b565a1b6e5fff9b36a280d638acd6ca3b8cc021c2
SHA512b064f6dda8c5ee4739041c6a7ef46a3e0b66ede67666d16fd3bc118f6da5e9128de93e88eb67916658e114397826f75117ad8f5ceaab203a6827ce54a325b79c
-
Filesize
1KB
MD5573292e66c653ec5661ca3aa0692a255
SHA1955f91a5149b3e0b1b5410d0537e40ba39ece304
SHA25626fe9809930451117fa63c7fede3ffa51f41c363ecd2c5db4a5545726985d0d0
SHA512aa90921415acdbae30586ea75d2a1fb6f9b2f2212ab32a055ab7dd6897ea6ce3823e210f293c3fdadd80651159368457699adff14951f6bfb1ed6f04bb80fd22
-
Filesize
1KB
MD582af65a7bfa25a563b875f8a4f9ef7d0
SHA109bbe433f4d38484c7b81e042d39b7899afd0b4e
SHA25636983238115a95177bb1582ebacef998c1df05cf9d1867bdd1f99bd2b693e05e
SHA5120b7bc83e6a5f08f735443d4305ff162abbcfcad4875b3a3275953a937ba9ce61ed79f474af7529c97bcb768eee480ccc5b71fd4747e91b01e165fba4b4c38276
-
Filesize
7KB
MD5e20e3291b4490d366b03f84660fb870a
SHA1971efb3a384dccb93574898b28417f8060ca1d4a
SHA256ebc935229387c6ec14861021c966cffb1767927963ea8a02d462a231cafcc0a4
SHA512aa4ebe775b140a7f470843726d44017f8471405a67c3349e88b442c015e2d8d06d6d5effc5b69bf0ff15ee77827d1e7d17ab382dd2b4fe21ff711fa3c44c4bac
-
Filesize
210B
MD5c202e5623a51d0ab191fe030408975cb
SHA1b3b62ba6e303aaae499f673231aebf369c7ee3f3
SHA2566ca96558fa602f1536893040ccd529592da0f37e6eb1e88b016615bd96c4d6b2
SHA5120d9ef977444ad334f8f49684b55dbad67cc92576a8099c7157fa3367dd87d3f6318a1d3a86129082e9f7ff0cd6552014544240152ac3ab5e17e7779148fc39db