Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe
-
Size
679KB
-
MD5
924e5824014d9c8fc0eeb8ff7bad9d7d
-
SHA1
1e902c04f0cdbc9a96049a5713050474baf907d0
-
SHA256
1e064eb8c153c57a0b0d5c0d4a5e95195955c764044f46412ebb8c00040e1928
-
SHA512
099dc55d4d67fe3e4e4071a51371c4ef1e14c2347fedfa8643f8bd39a79740b610fbbb775cfad2a82168eff12f02d507c3fe5f81d88a3ad98418069673e8771a
-
SSDEEP
12288:XQXYPcOvIuaxg1ms5S1hq3JonqMxFGlWARHT2Pn:X53vTPckMh5UlWcCPn
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
scvhost.exescvhost.exescvhost.exe924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exescvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation scvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation scvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation scvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation scvhost.exe -
Drops startup file 7 IoCs
Processes:
cmd.execmd.execmd.exescvhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.lnk scvhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe cmd.exe -
Executes dropped EXE 8 IoCs
Processes:
scvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exepid process 4404 scvhost.exe 4576 scvhost.exe 4988 scvhost.exe 2164 scvhost.exe 3944 scvhost.exe 4284 scvhost.exe 3696 scvhost.exe 1768 scvhost.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/332-6-0x0000000007FF0000-0x0000000008028000-memory.dmp agile_net behavioral2/memory/4404-16-0x00000000073F0000-0x0000000007428000-memory.dmp agile_net -
Suspicious use of SetThreadContext 3 IoCs
Processes:
scvhost.exescvhost.exescvhost.exedescription pid process target process PID 4404 set thread context of 4576 4404 scvhost.exe scvhost.exe PID 2164 set thread context of 3944 2164 scvhost.exe scvhost.exe PID 3696 set thread context of 1768 3696 scvhost.exe scvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exedescription pid process Token: SeDebugPrivilege 332 924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe Token: SeDebugPrivilege 4404 scvhost.exe Token: SeDebugPrivilege 4576 scvhost.exe Token: SeDebugPrivilege 4988 scvhost.exe Token: SeDebugPrivilege 2164 scvhost.exe Token: SeDebugPrivilege 3944 scvhost.exe Token: SeDebugPrivilege 4284 scvhost.exe Token: SeDebugPrivilege 3696 scvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exeexplorer.exescvhost.exescvhost.execmd.exescvhost.exeexplorer.exescvhost.exescvhost.execmd.exescvhost.exeexplorer.exescvhost.exedescription pid process target process PID 332 wrote to memory of 4020 332 924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe cmd.exe PID 332 wrote to memory of 4020 332 924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe cmd.exe PID 332 wrote to memory of 4020 332 924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe cmd.exe PID 332 wrote to memory of 4072 332 924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe explorer.exe PID 332 wrote to memory of 4072 332 924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe explorer.exe PID 332 wrote to memory of 4072 332 924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe explorer.exe PID 2688 wrote to memory of 4404 2688 explorer.exe scvhost.exe PID 2688 wrote to memory of 4404 2688 explorer.exe scvhost.exe PID 2688 wrote to memory of 4404 2688 explorer.exe scvhost.exe PID 4404 wrote to memory of 4576 4404 scvhost.exe scvhost.exe PID 4404 wrote to memory of 4576 4404 scvhost.exe scvhost.exe PID 4404 wrote to memory of 4576 4404 scvhost.exe scvhost.exe PID 4404 wrote to memory of 4576 4404 scvhost.exe scvhost.exe PID 4404 wrote to memory of 4576 4404 scvhost.exe scvhost.exe PID 4404 wrote to memory of 4576 4404 scvhost.exe scvhost.exe PID 4404 wrote to memory of 4576 4404 scvhost.exe scvhost.exe PID 4404 wrote to memory of 4576 4404 scvhost.exe scvhost.exe PID 4576 wrote to memory of 4988 4576 scvhost.exe scvhost.exe PID 4576 wrote to memory of 4988 4576 scvhost.exe scvhost.exe PID 4576 wrote to memory of 4988 4576 scvhost.exe scvhost.exe PID 4576 wrote to memory of 4480 4576 scvhost.exe cmd.exe PID 4576 wrote to memory of 4480 4576 scvhost.exe cmd.exe PID 4576 wrote to memory of 4480 4576 scvhost.exe cmd.exe PID 4480 wrote to memory of 4812 4480 cmd.exe PING.EXE PID 4480 wrote to memory of 4812 4480 cmd.exe PING.EXE PID 4480 wrote to memory of 4812 4480 cmd.exe PING.EXE PID 4988 wrote to memory of 2220 4988 scvhost.exe cmd.exe PID 4988 wrote to memory of 2220 4988 scvhost.exe cmd.exe PID 4988 wrote to memory of 2220 4988 scvhost.exe cmd.exe PID 4988 wrote to memory of 1100 4988 scvhost.exe explorer.exe PID 4988 wrote to memory of 1100 4988 scvhost.exe explorer.exe PID 4988 wrote to memory of 1100 4988 scvhost.exe explorer.exe PID 2296 wrote to memory of 2164 2296 explorer.exe scvhost.exe PID 2296 wrote to memory of 2164 2296 explorer.exe scvhost.exe PID 2296 wrote to memory of 2164 2296 explorer.exe scvhost.exe PID 2164 wrote to memory of 3944 2164 scvhost.exe scvhost.exe PID 2164 wrote to memory of 3944 2164 scvhost.exe scvhost.exe PID 2164 wrote to memory of 3944 2164 scvhost.exe scvhost.exe PID 2164 wrote to memory of 3944 2164 scvhost.exe scvhost.exe PID 2164 wrote to memory of 3944 2164 scvhost.exe scvhost.exe PID 2164 wrote to memory of 3944 2164 scvhost.exe scvhost.exe PID 2164 wrote to memory of 3944 2164 scvhost.exe scvhost.exe PID 2164 wrote to memory of 3944 2164 scvhost.exe scvhost.exe PID 3944 wrote to memory of 4284 3944 scvhost.exe scvhost.exe PID 3944 wrote to memory of 4284 3944 scvhost.exe scvhost.exe PID 3944 wrote to memory of 4284 3944 scvhost.exe scvhost.exe PID 3944 wrote to memory of 3348 3944 scvhost.exe cmd.exe PID 3944 wrote to memory of 3348 3944 scvhost.exe cmd.exe PID 3944 wrote to memory of 3348 3944 scvhost.exe cmd.exe PID 3348 wrote to memory of 2940 3348 cmd.exe PING.EXE PID 3348 wrote to memory of 2940 3348 cmd.exe PING.EXE PID 3348 wrote to memory of 2940 3348 cmd.exe PING.EXE PID 4284 wrote to memory of 2816 4284 scvhost.exe cmd.exe PID 4284 wrote to memory of 2816 4284 scvhost.exe cmd.exe PID 4284 wrote to memory of 2816 4284 scvhost.exe cmd.exe PID 4284 wrote to memory of 1684 4284 scvhost.exe explorer.exe PID 4284 wrote to memory of 1684 4284 scvhost.exe explorer.exe PID 4284 wrote to memory of 1684 4284 scvhost.exe explorer.exe PID 2960 wrote to memory of 3696 2960 explorer.exe scvhost.exe PID 2960 wrote to memory of 3696 2960 explorer.exe scvhost.exe PID 2960 wrote to memory of 3696 2960 explorer.exe scvhost.exe PID 3696 wrote to memory of 1768 3696 scvhost.exe scvhost.exe PID 3696 wrote to memory of 1768 3696 scvhost.exe scvhost.exe PID 3696 wrote to memory of 1768 3696 scvhost.exe scvhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"2⤵
- Drops startup file
PID:4020 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"2⤵PID:4072
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe"C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"5⤵
- Drops startup file
PID:2220 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"5⤵PID:1100
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10005⤵
- Runs ping.exe
PID:4812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3848 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:3776
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe"C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"5⤵
- Drops startup file
PID:2816 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"5⤵PID:1684
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10005⤵
- Runs ping.exe
PID:2940
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"3⤵
- Executes dropped EXE
PID:1768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\scvhost.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exeFilesize
679KB
MD5924e5824014d9c8fc0eeb8ff7bad9d7d
SHA11e902c04f0cdbc9a96049a5713050474baf907d0
SHA2561e064eb8c153c57a0b0d5c0d4a5e95195955c764044f46412ebb8c00040e1928
SHA512099dc55d4d67fe3e4e4071a51371c4ef1e14c2347fedfa8643f8bd39a79740b610fbbb775cfad2a82168eff12f02d507c3fe5f81d88a3ad98418069673e8771a
-
memory/332-13-0x0000000074F00000-0x00000000756B0000-memory.dmpFilesize
7.7MB
-
memory/332-2-0x0000000007B60000-0x0000000007C08000-memory.dmpFilesize
672KB
-
memory/332-4-0x0000000074F00000-0x00000000756B0000-memory.dmpFilesize
7.7MB
-
memory/332-5-0x0000000007F50000-0x0000000007FE2000-memory.dmpFilesize
584KB
-
memory/332-6-0x0000000007FF0000-0x0000000008028000-memory.dmpFilesize
224KB
-
memory/332-7-0x00000000057C0000-0x00000000057C6000-memory.dmpFilesize
24KB
-
memory/332-8-0x00000000081A0000-0x00000000081AA000-memory.dmpFilesize
40KB
-
memory/332-9-0x0000000074F0E000-0x0000000074F0F000-memory.dmpFilesize
4KB
-
memory/332-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmpFilesize
4KB
-
memory/332-3-0x0000000008400000-0x00000000089A4000-memory.dmpFilesize
5.6MB
-
memory/332-1-0x0000000000CE0000-0x0000000000D90000-memory.dmpFilesize
704KB
-
memory/3944-46-0x0000000006DB0000-0x0000000006DC8000-memory.dmpFilesize
96KB
-
memory/4404-18-0x0000000006760000-0x00000000067FC000-memory.dmpFilesize
624KB
-
memory/4404-16-0x00000000073F0000-0x0000000007428000-memory.dmpFilesize
224KB
-
memory/4576-23-0x0000000000600000-0x0000000000656000-memory.dmpFilesize
344KB
-
memory/4576-24-0x0000000000870000-0x0000000000880000-memory.dmpFilesize
64KB
-
memory/4576-25-0x0000000004C80000-0x0000000004D2E000-memory.dmpFilesize
696KB
-
memory/4576-26-0x0000000000B00000-0x0000000000B28000-memory.dmpFilesize
160KB
-
memory/4576-27-0x00000000066D0000-0x0000000006736000-memory.dmpFilesize
408KB
-
memory/4576-28-0x0000000006E40000-0x0000000006E58000-memory.dmpFilesize
96KB