Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 14:38
Static task
static1
Behavioral task
behavioral1
Sample
aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe
-
Size
652KB
-
MD5
aee5704ab8e1ef4484caef048a2e286f
-
SHA1
e023f6678b315e5b48beeaa0f3239adc15aaf59f
-
SHA256
d07f8aa03c96baaacb17564a7bd9d8be6b7effb347a1a98e1ea201a528e4ff8f
-
SHA512
184645be06e5945d09c1c0bb0756e4943757d44db203928e025c6f5147c516123d9fc2221f1cd53e684edf170a39f7c3bfc58ba20a7824a21a77d21d03be36ef
-
SSDEEP
12288:2lAb5lthGT76dsIqVpYO+NyEcQQ+9OoZyXTGMFTBJPfiIR:2azrGT7muSiEc+9OoGG4pqI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe 4660 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winstart = "\\defenderst\\winlogimde.exe" aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winstart = "C:\\Users\\Admin\\AppData\\Roaming\\defenderst\\winlogimde.exe" aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1004 set thread context of 2012 1004 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 87 PID 1092 set thread context of 4660 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1904 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4660 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1004 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe Token: SeDebugPrivilege 2012 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe Token: SeDebugPrivilege 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe Token: SeDebugPrivilege 4660 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe Token: 33 4660 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe Token: SeIncBasePriorityPrivilege 4660 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4660 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1004 wrote to memory of 2012 1004 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 87 PID 1004 wrote to memory of 2012 1004 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 87 PID 1004 wrote to memory of 2012 1004 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 87 PID 1004 wrote to memory of 2012 1004 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 87 PID 1004 wrote to memory of 2012 1004 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 87 PID 1004 wrote to memory of 2012 1004 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 87 PID 1004 wrote to memory of 2012 1004 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 87 PID 1004 wrote to memory of 2012 1004 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 87 PID 2012 wrote to memory of 1092 2012 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 91 PID 2012 wrote to memory of 1092 2012 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 91 PID 2012 wrote to memory of 1092 2012 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 91 PID 2012 wrote to memory of 2304 2012 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 92 PID 2012 wrote to memory of 2304 2012 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 92 PID 2012 wrote to memory of 2304 2012 aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe 92 PID 2304 wrote to memory of 1904 2304 cmd.exe 94 PID 2304 wrote to memory of 1904 2304 cmd.exe 94 PID 2304 wrote to memory of 1904 2304 cmd.exe 94 PID 1092 wrote to memory of 4660 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe 97 PID 1092 wrote to memory of 4660 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe 97 PID 1092 wrote to memory of 4660 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe 97 PID 1092 wrote to memory of 4660 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe 97 PID 1092 wrote to memory of 4660 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe 97 PID 1092 wrote to memory of 4660 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe 97 PID 1092 wrote to memory of 4660 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe 97 PID 1092 wrote to memory of 4660 1092 aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe"C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe"C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4660
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:1904
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe.log
Filesize1KB
MD5ac2d896801634ffc30f4f3d578aabddd
SHA19725e8599855b423c8da0b26ad73f189bfad915e
SHA25652b421597cdd56b743bcc4e8cbe7df9724014b2703532cb5c7c94e037da129dd
SHA512c5f60e9f7c1e6289234a8627f2037e87acf2260d340322451fc5b988c31832bf80e20da901cc2a9da6639206d9d003162a7901f96b816dc4125220873321ae42
-
C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe
Filesize652KB
MD5aee5704ab8e1ef4484caef048a2e286f
SHA1e023f6678b315e5b48beeaa0f3239adc15aaf59f
SHA256d07f8aa03c96baaacb17564a7bd9d8be6b7effb347a1a98e1ea201a528e4ff8f
SHA512184645be06e5945d09c1c0bb0756e4943757d44db203928e025c6f5147c516123d9fc2221f1cd53e684edf170a39f7c3bfc58ba20a7824a21a77d21d03be36ef
-
Filesize
56B
MD5c21ff3751aeec4506de0e2b2bec7cf66
SHA1f7ecfd2d361c287233d4480f4982d815cde28832
SHA256e7723b9bd121f5246641ae6736675c2f188e276c886e4cec6b405c92e10a5f36
SHA5121615e7d1e0a965c9a988a064e56e848211592d5ba5eceed513f586f704b7909da4dc6cb54a045fb456983796060058af13cf2bf2b23ba6e04884a14cef877af6