Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 10:19
Behavioral task
behavioral1
Sample
a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe
-
Size
234KB
-
MD5
a929acb4997a9366c61cb3edcc0b2498
-
SHA1
77bb8b60b1341f2c0d021b4baefb7e7f6694ccca
-
SHA256
20751156d821460ab4c7db367bf964831c51daac7bf4a4eecfa4c0cf23816490
-
SHA512
55e5ea17d289bfae1fbedbc7f5dba812c01f4802442a502c72af28dd5ebed9c7e5d2f2565e19f3e20159aa5a3a566e06ceba746e53d1192ccb0eaf1480e5f231
-
SSDEEP
6144:CLV6Bta6dtJmakIM5SP2ZCt/YSyHLDe1YO9o+l:CLV6BtpmkvkfvMo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempexplorer.exepid process 2836 Tempexplorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Tempexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Manager = "C:\\Program Files (x86)\\SAAS Manager\\saasmgr.exe" Tempexplorer.exe -
Processes:
Tempexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Tempexplorer.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Tempexplorer.exedescription ioc process File opened for modification C:\Program Files (x86)\SAAS Manager\saasmgr.exe Tempexplorer.exe File created C:\Program Files (x86)\SAAS Manager\saasmgr.exe Tempexplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3732 schtasks.exe 2172 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Tempexplorer.exepid process 2836 Tempexplorer.exe 2836 Tempexplorer.exe 2836 Tempexplorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Tempexplorer.exepid process 2836 Tempexplorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Tempexplorer.exedescription pid process Token: SeDebugPrivilege 2836 Tempexplorer.exe Token: SeDebugPrivilege 2836 Tempexplorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exeTempexplorer.exedescription pid process target process PID 2848 wrote to memory of 2836 2848 a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe Tempexplorer.exe PID 2848 wrote to memory of 2836 2848 a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe Tempexplorer.exe PID 2848 wrote to memory of 2836 2848 a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe Tempexplorer.exe PID 2836 wrote to memory of 3732 2836 Tempexplorer.exe schtasks.exe PID 2836 wrote to memory of 3732 2836 Tempexplorer.exe schtasks.exe PID 2836 wrote to memory of 3732 2836 Tempexplorer.exe schtasks.exe PID 2836 wrote to memory of 2172 2836 Tempexplorer.exe schtasks.exe PID 2836 wrote to memory of 2172 2836 Tempexplorer.exe schtasks.exe PID 2836 wrote to memory of 2172 2836 Tempexplorer.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Tempexplorer.exe"C:\Users\Admin\AppData\Local\Tempexplorer.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SAAS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp686E.tmp"3⤵
- Creates scheduled task(s)
PID:3732 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SAAS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp68EC.tmp"3⤵
- Creates scheduled task(s)
PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp686E.tmpFilesize
1KB
MD5c32c74e937be74259424933c09985921
SHA1b0a7f3b2609bd66e695181e492a904c994c40553
SHA2561ae1a9bb3477f5dcb9c0be4a919e54eca05647e254725af8e9a552628b255cef
SHA51296e17111f01c88c2b8edaa2ec08b4cd5dd40f4e0b78dcf316d7c3ca3b69267fd63a4f91ddf01baa50ddcee7b4fa393d91e4ba80087010caf7accf47dac29889e
-
C:\Users\Admin\AppData\Local\Temp\tmp68EC.tmpFilesize
1KB
MD5b5ee6d4d0a6aab49e12d44d82afc5157
SHA19fbe67452ca81b59802441955020086c3d163b2c
SHA256f769b73883f96cefd35c438e8bdbe12c10a87ce11e09e4084474a85f6e4f8a10
SHA512c4071b68c40aedd04b48bcbf4c4256e8b746474c6d4cfe680a4c0bcd61c9c4daa45d5d1e2fc8df655feba77de485258d06a81ac1a9144ed37ab9c80fbce09754
-
C:\Users\Admin\AppData\Local\Tempexplorer.exeFilesize
203KB
MD52a10ebef275e2d24c8f3e3d8dd01e929
SHA15d82da79265984af7399c6d19766b9d3afb4fe59
SHA256226de25b7d0372d2f18c5f080d58a2766b50b70bb2f4f4505071acd45407abaa
SHA51206fe337e2444b15a3ac0a16645a9b114033f4c6ebc0465c660a739615a7d1e134dfebfc630565a8d5df11aa3e7d38a186a1a36e7746322492f7f65031ae2b32c
-
memory/2836-19-0x0000000070470000-0x0000000070A21000-memory.dmpFilesize
5.7MB
-
memory/2836-31-0x0000000070470000-0x0000000070A21000-memory.dmpFilesize
5.7MB
-
memory/2836-30-0x0000000070470000-0x0000000070A21000-memory.dmpFilesize
5.7MB
-
memory/2836-29-0x0000000070472000-0x0000000070473000-memory.dmpFilesize
4KB
-
memory/2836-28-0x0000000070470000-0x0000000070A21000-memory.dmpFilesize
5.7MB
-
memory/2836-27-0x0000000070470000-0x0000000070A21000-memory.dmpFilesize
5.7MB
-
memory/2836-17-0x0000000070472000-0x0000000070473000-memory.dmpFilesize
4KB
-
memory/2836-18-0x0000000070470000-0x0000000070A21000-memory.dmpFilesize
5.7MB
-
memory/2848-4-0x00000000054B0000-0x000000000554C000-memory.dmpFilesize
624KB
-
memory/2848-16-0x00000000751E0000-0x0000000075990000-memory.dmpFilesize
7.7MB
-
memory/2848-6-0x00000000751E0000-0x0000000075990000-memory.dmpFilesize
7.7MB
-
memory/2848-5-0x00000000053A0000-0x00000000053AA000-memory.dmpFilesize
40KB
-
memory/2848-0-0x00000000751EE000-0x00000000751EF000-memory.dmpFilesize
4KB
-
memory/2848-3-0x0000000005410000-0x00000000054A2000-memory.dmpFilesize
584KB
-
memory/2848-2-0x00000000059C0000-0x0000000005F64000-memory.dmpFilesize
5.6MB
-
memory/2848-1-0x0000000000AF0000-0x0000000000B32000-memory.dmpFilesize
264KB