Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 10:38
Static task
static1
Behavioral task
behavioral1
Sample
b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe
-
Size
257KB
-
MD5
b313bbe17bd5ee9c00acff3bfccdb48a
-
SHA1
2efd3fc16f44525e4a1bb5f7c2e01e2a87b2cf04
-
SHA256
71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338
-
SHA512
2244a9b0a24d763c6bfff4c38957ba9d9bbeca43c7659f7e3589c9f11080fe0905883a77fe666892813167251e94ee2604b77c6cc48632f71ed4a9eb45094e10
-
SSDEEP
6144:yz+92mhAMJ/cPl3iej1LV3j+uHe9PoV9o2xjKHUkcVW:yK2mhAMJ/cPlfTX+Ao8/kco
Malware Config
Signatures
-
Detects PlugX payload 20 IoCs
Processes:
resource yara_rule behavioral2/memory/4756-20-0x0000000002190000-0x00000000021C9000-memory.dmp family_plugx behavioral2/memory/396-39-0x00000000006D0000-0x0000000000709000-memory.dmp family_plugx behavioral2/memory/4156-43-0x0000000000E30000-0x0000000000E69000-memory.dmp family_plugx behavioral2/memory/2372-46-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx behavioral2/memory/4156-47-0x0000000000E30000-0x0000000000E69000-memory.dmp family_plugx behavioral2/memory/2372-48-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx behavioral2/memory/4756-61-0x0000000002190000-0x00000000021C9000-memory.dmp family_plugx behavioral2/memory/2372-64-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx behavioral2/memory/2372-65-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx behavioral2/memory/2372-63-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx behavioral2/memory/2372-62-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx behavioral2/memory/2372-60-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx behavioral2/memory/2372-59-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx behavioral2/memory/396-68-0x00000000006D0000-0x0000000000709000-memory.dmp family_plugx behavioral2/memory/1352-69-0x0000000002540000-0x0000000002579000-memory.dmp family_plugx behavioral2/memory/1352-72-0x0000000002540000-0x0000000002579000-memory.dmp family_plugx behavioral2/memory/1352-71-0x0000000002540000-0x0000000002579000-memory.dmp family_plugx behavioral2/memory/2372-73-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx behavioral2/memory/2372-74-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx behavioral2/memory/2372-75-0x0000000001190000-0x00000000011C9000-memory.dmp family_plugx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
Nv.exepid process 4756 Nv.exe -
Executes dropped EXE 3 IoCs
Processes:
Nv.exeNv.exeNv.exepid process 4756 Nv.exe 396 Nv.exe 4156 Nv.exe -
Loads dropped DLL 3 IoCs
Processes:
Nv.exeNv.exeNv.exepid process 4756 Nv.exe 396 Nv.exe 4156 Nv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 17 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe -
Modifies registry class 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 41004500410044004300450038003300360046004200330042003000410046000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Nv.exesvchost.exemsiexec.exepid process 4756 Nv.exe 4756 Nv.exe 2372 svchost.exe 2372 svchost.exe 2372 svchost.exe 2372 svchost.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 2372 svchost.exe 2372 svchost.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 2372 svchost.exe 2372 svchost.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 2372 svchost.exe 2372 svchost.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 2372 svchost.exe 2372 svchost.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe 1352 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
svchost.exemsiexec.exepid process 2372 svchost.exe 1352 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Nv.exeNv.exeNv.exesvchost.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4756 Nv.exe Token: SeTcbPrivilege 4756 Nv.exe Token: SeDebugPrivilege 396 Nv.exe Token: SeTcbPrivilege 396 Nv.exe Token: SeDebugPrivilege 4156 Nv.exe Token: SeTcbPrivilege 4156 Nv.exe Token: SeDebugPrivilege 2372 svchost.exe Token: SeTcbPrivilege 2372 svchost.exe Token: SeDebugPrivilege 1352 msiexec.exe Token: SeTcbPrivilege 1352 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exeNv.exesvchost.exedescription pid process target process PID 4888 wrote to memory of 4756 4888 b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe Nv.exe PID 4888 wrote to memory of 4756 4888 b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe Nv.exe PID 4888 wrote to memory of 4756 4888 b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe Nv.exe PID 4156 wrote to memory of 2372 4156 Nv.exe svchost.exe PID 4156 wrote to memory of 2372 4156 Nv.exe svchost.exe PID 4156 wrote to memory of 2372 4156 Nv.exe svchost.exe PID 4156 wrote to memory of 2372 4156 Nv.exe svchost.exe PID 4156 wrote to memory of 2372 4156 Nv.exe svchost.exe PID 4156 wrote to memory of 2372 4156 Nv.exe svchost.exe PID 4156 wrote to memory of 2372 4156 Nv.exe svchost.exe PID 4156 wrote to memory of 2372 4156 Nv.exe svchost.exe PID 2372 wrote to memory of 1352 2372 svchost.exe msiexec.exe PID 2372 wrote to memory of 1352 2372 svchost.exe msiexec.exe PID 2372 wrote to memory of 1352 2372 svchost.exe msiexec.exe PID 2372 wrote to memory of 1352 2372 svchost.exe msiexec.exe PID 2372 wrote to memory of 1352 2372 svchost.exe msiexec.exe PID 2372 wrote to memory of 1352 2372 svchost.exe msiexec.exe PID 2372 wrote to memory of 1352 2372 svchost.exe msiexec.exe PID 2372 wrote to memory of 1352 2372 svchost.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 100 47561⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 23723⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exeFilesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dllFilesize
7KB
MD50aa39c6eafc45d18d4a15f1ed6dff6a8
SHA1daa921673a22a6b3c03e311e51d7e74ac1710fc2
SHA2565e2ca5276edc4f5df39b40733acfd1298192432a66fa477ac32056a473a4636a
SHA5120c107b57fd7678c169f62a085a90f5ad6eed56b431c5a67fd2c195b1960a2a38f19e9d1e2bff8b3a0cc39c7ae32608459b82f91e99a6852d059ad6567c22ec6e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URLFilesize
131KB
MD5bbb5f685f91b0d0d8e272d1c23911e19
SHA1aa2154c4549e37397588f3a38b1d0f906bc87e9a
SHA25629641dccedf3a220524ce2fff5d1fa48576aa92de9dfc4ec3da39ca5bf5d8bdd
SHA51286f8dd3b9a904ae5a687be5370ced5bcb677608747c4f5576435a3d421a9e49d3101056bf09fb76711800cc6f1f0dbe78da7cdcb0c0329b7866c432a2317d69c
-
memory/396-40-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/396-39-0x00000000006D0000-0x0000000000709000-memory.dmpFilesize
228KB
-
memory/396-68-0x00000000006D0000-0x0000000000709000-memory.dmpFilesize
228KB
-
memory/1352-71-0x0000000002540000-0x0000000002579000-memory.dmpFilesize
228KB
-
memory/1352-72-0x0000000002540000-0x0000000002579000-memory.dmpFilesize
228KB
-
memory/1352-70-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/1352-69-0x0000000002540000-0x0000000002579000-memory.dmpFilesize
228KB
-
memory/2372-58-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/2372-46-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/2372-75-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/2372-48-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/2372-45-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/2372-74-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/2372-64-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/2372-65-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/2372-63-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/2372-62-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/2372-60-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/2372-59-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/2372-73-0x0000000001190000-0x00000000011C9000-memory.dmpFilesize
228KB
-
memory/4156-43-0x0000000000E30000-0x0000000000E69000-memory.dmpFilesize
228KB
-
memory/4156-44-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/4156-47-0x0000000000E30000-0x0000000000E69000-memory.dmpFilesize
228KB
-
memory/4756-21-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/4756-20-0x0000000002190000-0x00000000021C9000-memory.dmpFilesize
228KB
-
memory/4756-19-0x0000000000401000-0x0000000000402000-memory.dmpFilesize
4KB
-
memory/4756-61-0x0000000002190000-0x00000000021C9000-memory.dmpFilesize
228KB