Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 16:28
Static task
static1
Behavioral task
behavioral1
Sample
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
-
Size
435KB
-
MD5
9ece6610ad20b25f1c5a5999955cb6bb
-
SHA1
26e72d838429bf53cb2a243b530cbbdb9be8daeb
-
SHA256
7d5ad8b2e3ce5e0f16be74228bbbeb8fbc8563c68bda098148c19874361385c8
-
SHA512
c9428e7aba4c410b4068729b4a08bdb5462fbf465acab9a28abf5fbe0b8020a727a4d63646c060ee435270c42545166e1f443bcfb05339b619f2f99165572c52
-
SSDEEP
12288:84aHAKjIQU74u7mpZIVA8FOsFbPP/czodI75Dj:wctbmnUFO2bPP/E4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe -
Drops startup file 1 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SvchostReader.rbvqrmug.lnk 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
SvchostReader.exeSvchostReader.exepid process 1288 SvchostReader.exe 4276 SvchostReader.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SvchostReader.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" SvchostReader.exe -
Processes:
SvchostReader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SvchostReader.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SvchostReader.exedescription pid process target process PID 1288 set thread context of 4276 1288 SvchostReader.exe SvchostReader.exe -
Drops file in Program Files directory 2 IoCs
Processes:
SvchostReader.exedescription ioc process File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe SvchostReader.exe File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe SvchostReader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
SvchostReader.exeSvchostReader.exepid process 1288 SvchostReader.exe 1288 SvchostReader.exe 1288 SvchostReader.exe 1288 SvchostReader.exe 4276 SvchostReader.exe 4276 SvchostReader.exe 4276 SvchostReader.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SvchostReader.exepid process 4276 SvchostReader.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exeSvchostReader.exeSvchostReader.exedescription pid process Token: SeDebugPrivilege 1800 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe Token: SeDebugPrivilege 1288 SvchostReader.exe Token: SeDebugPrivilege 4276 SvchostReader.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exepid process 1800 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exepid process 1800 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exeSvchostReader.exedescription pid process target process PID 1800 wrote to memory of 1288 1800 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe SvchostReader.exe PID 1800 wrote to memory of 1288 1800 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe SvchostReader.exe PID 1800 wrote to memory of 1288 1800 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe SvchostReader.exe PID 1288 wrote to memory of 4276 1288 SvchostReader.exe SvchostReader.exe PID 1288 wrote to memory of 4276 1288 SvchostReader.exe SvchostReader.exe PID 1288 wrote to memory of 4276 1288 SvchostReader.exe SvchostReader.exe PID 1288 wrote to memory of 4276 1288 SvchostReader.exe SvchostReader.exe PID 1288 wrote to memory of 4276 1288 SvchostReader.exe SvchostReader.exe PID 1288 wrote to memory of 4276 1288 SvchostReader.exe SvchostReader.exe PID 1288 wrote to memory of 4276 1288 SvchostReader.exe SvchostReader.exe PID 1288 wrote to memory of 4276 1288 SvchostReader.exe SvchostReader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\SvchostReader.exe"C:\Users\Admin\AppData\Local\SvchostReader.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\SvchostReader.exe"C:\Users\Admin\AppData\Local\SvchostReader.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\SvchostReader.exeFilesize
435KB
MD59ece6610ad20b25f1c5a5999955cb6bb
SHA126e72d838429bf53cb2a243b530cbbdb9be8daeb
SHA2567d5ad8b2e3ce5e0f16be74228bbbeb8fbc8563c68bda098148c19874361385c8
SHA512c9428e7aba4c410b4068729b4a08bdb5462fbf465acab9a28abf5fbe0b8020a727a4d63646c060ee435270c42545166e1f443bcfb05339b619f2f99165572c52
-
memory/1288-24-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1288-17-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1288-29-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1288-23-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1288-19-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1288-18-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1800-2-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1800-1-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1800-5-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1800-22-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1800-4-0x0000000075122000-0x0000000075123000-memory.dmpFilesize
4KB
-
memory/1800-0-0x0000000075122000-0x0000000075123000-memory.dmpFilesize
4KB
-
memory/1800-3-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/4276-26-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/4276-27-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/4276-32-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB