Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 06:28
Static task
static1
Behavioral task
behavioral1
Sample
a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe
-
Size
531KB
-
MD5
a433e7322813adce718a67829a6ccfb8
-
SHA1
0ca10ca7af1780983cc7146008093e5e0fb7f74e
-
SHA256
44210da3f454a4a2e11d6e384aa0d7588288d05f2ddbfe1bce4861a2ecffdc4d
-
SHA512
4f48458c1ed5483c628b471d7c6e81b0cf738660543e09589f3e1f35bb1b8d8a51c36610a2ce86da92cdf7acd8efbedd388f3d7598568240e88d512d54e3e7e7
-
SSDEEP
12288:aNXU42a5EIoiY8AuqdOeASJdxuz/w2tJeZw6q7+6a6:QTYuk0SJdew2Xcwgs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fintessa = "C:\\Users\\Admin\\AppData\\Roaming\\Fitneesa\\version.exe" a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fintessa = "\\Fitneesa\\version.exe" a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3740 set thread context of 5028 3740 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 87 PID 2032 set thread context of 4384 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1564 PING.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3740 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe Token: SeDebugPrivilege 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe Token: SeDebugPrivilege 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe Token: SeDebugPrivilege 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe Token: 33 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe Token: SeIncBasePriorityPrivilege 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4384 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3740 wrote to memory of 5028 3740 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 87 PID 3740 wrote to memory of 5028 3740 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 87 PID 3740 wrote to memory of 5028 3740 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 87 PID 3740 wrote to memory of 5028 3740 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 87 PID 3740 wrote to memory of 5028 3740 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 87 PID 3740 wrote to memory of 5028 3740 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 87 PID 3740 wrote to memory of 5028 3740 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 87 PID 3740 wrote to memory of 5028 3740 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 87 PID 5028 wrote to memory of 2032 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 89 PID 5028 wrote to memory of 2032 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 89 PID 5028 wrote to memory of 2032 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 89 PID 5028 wrote to memory of 4724 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 90 PID 5028 wrote to memory of 4724 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 90 PID 5028 wrote to memory of 4724 5028 a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe 90 PID 4724 wrote to memory of 1564 4724 cmd.exe 92 PID 4724 wrote to memory of 1564 4724 cmd.exe 92 PID 4724 wrote to memory of 1564 4724 cmd.exe 92 PID 2032 wrote to memory of 4384 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 98 PID 2032 wrote to memory of 4384 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 98 PID 2032 wrote to memory of 4384 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 98 PID 2032 wrote to memory of 4384 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 98 PID 2032 wrote to memory of 4384 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 98 PID 2032 wrote to memory of 4384 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 98 PID 2032 wrote to memory of 4384 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 98 PID 2032 wrote to memory of 4384 2032 a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\a433e7322813adce718a67829a6ccfb8_jaffacakes118\a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe"C:\Users\Admin\AppData\Local\Temp\a433e7322813adce718a67829a6ccfb8_jaffacakes118\a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\a433e7322813adce718a67829a6ccfb8_jaffacakes118\a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe"C:\Users\Admin\AppData\Local\Temp\a433e7322813adce718a67829a6ccfb8_jaffacakes118\a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4384
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:1564
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a433e7322813adce718a67829a6ccfb8_JaffaCakes118.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\a433e7322813adce718a67829a6ccfb8_jaffacakes118\a433e7322813adce718a67829a6ccfb8_jaffacakes118.exe
Filesize531KB
MD5a433e7322813adce718a67829a6ccfb8
SHA10ca10ca7af1780983cc7146008093e5e0fb7f74e
SHA25644210da3f454a4a2e11d6e384aa0d7588288d05f2ddbfe1bce4861a2ecffdc4d
SHA5124f48458c1ed5483c628b471d7c6e81b0cf738660543e09589f3e1f35bb1b8d8a51c36610a2ce86da92cdf7acd8efbedd388f3d7598568240e88d512d54e3e7e7
-
Filesize
51B
MD57b4b167732f601b74017d848c034befe
SHA1831bb99c19f01b9ebef5ff260732f768249c2222
SHA25681b97e422192b7576bbebd081843c930da26763acedae2d730d99ae3488cdf8f
SHA5121e193021adc7a72798196f092096797343492e2409c79ad7dcbf7ea9b06f774959c16f23e9974c779ebe13dec11443ad63d788a63996c42f44fbdde0383588ce