Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 23:48
Static task
static1
Behavioral task
behavioral1
Sample
a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe
-
Size
455KB
-
MD5
a2ff9b452041a6ff6097db779da26d70
-
SHA1
d9fb90605868c19cdc91c556fb9abfcd09fcdff5
-
SHA256
c4d9db58c442972cbcb09632bd06b477c6a33f3827a00ac0ec2baeb6a0e6e9cc
-
SHA512
2c2012fb5821a26d3aa4f5bb645d087978b846ddecd87cc5c4ece039dbac011f44bcf263fbfc383f5546d906391c9c5d5af7e81d7aa92427832de107505c3867
-
SSDEEP
12288:bRVbfvJSlmOPufGjKH2KcDx/2aTxryFM0v+YXO:bfNonjKH2KcF/RM2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4900 set thread context of 5084 4900 installutil.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3200 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4900 installutil.exe 4900 installutil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5084 installutil.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4900 installutil.exe Token: SeDebugPrivilege 5084 installutil.exe Token: 33 5084 installutil.exe Token: SeIncBasePriorityPrivilege 5084 installutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5084 installutil.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2216 wrote to memory of 4900 2216 a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe 81 PID 2216 wrote to memory of 4900 2216 a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe 81 PID 2216 wrote to memory of 4900 2216 a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe 81 PID 4900 wrote to memory of 3200 4900 installutil.exe 85 PID 4900 wrote to memory of 3200 4900 installutil.exe 85 PID 4900 wrote to memory of 3200 4900 installutil.exe 85 PID 4900 wrote to memory of 5084 4900 installutil.exe 87 PID 4900 wrote to memory of 5084 4900 installutil.exe 87 PID 4900 wrote to memory of 5084 4900 installutil.exe 87 PID 4900 wrote to memory of 5084 4900 installutil.exe 87 PID 4900 wrote to memory of 5084 4900 installutil.exe 87 PID 4900 wrote to memory of 5084 4900 installutil.exe 87 PID 4900 wrote to memory of 5084 4900 installutil.exe 87 PID 4900 wrote to memory of 5084 4900 installutil.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UwAqxT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDBE9.tmp"3⤵
- Creates scheduled task(s)
PID:3200
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5084
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c7b95e5f692958978a8d6a979d74f6c8
SHA1fed2d45865370bcafb126ca5ac997f7aeeb8834e
SHA25647a41d43257d9d323c83606aa2c49832f458624e018fcd29c67e452cd8c49029
SHA512227e9bfde31acabc6813e822af62bc5975f852d98f95be266e1f23257b4fb5440f9457cbf0d2e82baf2a32ad4559aee4812857a4235aabe7f112ece5619bfbd8
-
Filesize
1KB
MD51486c0434bb411c86087fa3f8249a966
SHA1f3da7dd2674610dc46c76b4eb7aa9f80ea81d3cd
SHA256f0fd04db6633f929948bfdb4d63b54043e76229ace4fb3ea9425e0b4fd103137
SHA5120ffcdb4aae72d6692dfdb03c82dd7c96cdd066680a843cc1d20f0a9a96682d7ba28a6f98a493faa6c3ad6279bcb855a6b09a1914da1b56cca9b84377ef2b128b