Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 06:07
Static task
static1
Behavioral task
behavioral1
Sample
b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe
-
Size
719KB
-
MD5
b20de7039fc71d94e134125c77cd005f
-
SHA1
ef222f1e7e31db8ba0abf10ecf20279529dbf2d3
-
SHA256
2ffdff45aa288f6e09815e6072a24920ef00761c92680a8acb0e43d88fb39354
-
SHA512
5ee300f3a47dafb661e7819944557f10831c917e4e28d08dbbb940d48034a501cbe0e5bd6321bd90fb286351d767ad718c87058ba3d3cecb389592d01a7569f0
-
SSDEEP
12288:QaNuyLoOZWoOMOheqAfUVkkPQUQQq1AkEV6omI8Q:7OXlJeqAfUVD4UHqF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
installutil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe" installutil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
installutil.exedescription pid process target process PID 4180 set thread context of 1456 4180 installutil.exe installutil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
installutil.exedescription ioc process File created C:\Program Files (x86)\DHCP Service\dhcpsv.exe installutil.exe File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsv.exe installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2408 schtasks.exe 2008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
installutil.exeinstallutil.exepid process 4180 installutil.exe 4180 installutil.exe 1456 installutil.exe 1456 installutil.exe 1456 installutil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
installutil.exepid process 1456 installutil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
installutil.exeinstallutil.exedescription pid process Token: SeDebugPrivilege 4180 installutil.exe Token: SeDebugPrivilege 1456 installutil.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exeinstallutil.exeinstallutil.exedescription pid process target process PID 4328 wrote to memory of 4180 4328 b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe installutil.exe PID 4328 wrote to memory of 4180 4328 b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe installutil.exe PID 4328 wrote to memory of 4180 4328 b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe installutil.exe PID 4180 wrote to memory of 1456 4180 installutil.exe installutil.exe PID 4180 wrote to memory of 1456 4180 installutil.exe installutil.exe PID 4180 wrote to memory of 1456 4180 installutil.exe installutil.exe PID 4180 wrote to memory of 1456 4180 installutil.exe installutil.exe PID 4180 wrote to memory of 1456 4180 installutil.exe installutil.exe PID 4180 wrote to memory of 1456 4180 installutil.exe installutil.exe PID 4180 wrote to memory of 1456 4180 installutil.exe installutil.exe PID 4180 wrote to memory of 1456 4180 installutil.exe installutil.exe PID 1456 wrote to memory of 2008 1456 installutil.exe schtasks.exe PID 1456 wrote to memory of 2008 1456 installutil.exe schtasks.exe PID 1456 wrote to memory of 2008 1456 installutil.exe schtasks.exe PID 1456 wrote to memory of 2408 1456 installutil.exe schtasks.exe PID 1456 wrote to memory of 2408 1456 installutil.exe schtasks.exe PID 1456 wrote to memory of 2408 1456 installutil.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC1C9.tmp"4⤵
- Creates scheduled task(s)
PID:2008 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC238.tmp"4⤵
- Creates scheduled task(s)
PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\installutil.exe.logFilesize
810B
MD57a4a84f4d2df1fe011638038702dad89
SHA164e9856d95b2064ff51e1c77819c818e6e5b3291
SHA256cfd5734d90e6889355768ae5a723076000d88af2e5b6b435d55fa5bfa3e29590
SHA512cbe9f7724806d161e70a161525c89199e10e6f38ad425533defaa1e02a12bf2cf28cba6788ed68e446cbd4286541e341b55c40133c134f9fcf94cae79b34092d
-
C:\Users\Admin\AppData\Local\Temp\tmpC1C9.tmpFilesize
1KB
MD5776580d2028b74ed89bb21146482bdff
SHA1d1a45290dedde63d8539a2fc8af866b430238bc7
SHA256fbad359469fc6aefb5695d01974f4edf50528f51f80d57b9eb0d8f2f81033cc0
SHA512de084f473db26ce159b639b02e7ffa263ae5b6c4c1da9f6932676dae4a6c65f082b1bcac673c45c2e2b84caa06d1860ea6f0545b81fd7b3e4f8fe5e802a160d3
-
C:\Users\Admin\AppData\Local\Temp\tmpC238.tmpFilesize
1KB
MD5a77c223a0fc492dccd6fb9975f7a8766
SHA15e813636ae9b8138d78919348a5da3a6e8bd74b5
SHA256589df7325d42409c50827600fedb240171ee4bdab85916474a37800c2382829e
SHA512315cea8fde3c594404f5d3c96c710af1214cff6d08ccdb40634a739e108ff810e02624735a2b8c3e3720157b4a55327f317c3c23c3a681b46b9ab0f19060f7c0
-
memory/1456-21-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/1456-13-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/4180-7-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/4180-8-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/4180-9-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/4180-6-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/4180-12-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/4180-5-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/4328-0-0x0000000075412000-0x0000000075413000-memory.dmpFilesize
4KB
-
memory/4328-4-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/4328-2-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/4328-1-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB