Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 14:23
Static task
static1
Behavioral task
behavioral1
Sample
06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe
-
Size
685KB
-
MD5
06ca6d90c80d76ef20aab6bc99167779
-
SHA1
a55aa39be0ade1b0d8fd3f9954e7cb5ef7545cf0
-
SHA256
5f6dfef989b9ac4da5ccb5fcb8bc07ee3d6b86188e6d20d5d349d42191e15ab0
-
SHA512
00b6d256687ca02ef0d97317cd3f4712c87a9e777ffcaea9d06ece629513988dbed7a6a69d0500885300790a5824abe3e80c9f858a4b2271810fd1cfe79e2051
-
SSDEEP
12288:qW5n9Ol1DiaEtPBw4UsKK7A+y5gmyF2xP2W21WYdpPz8ZtZVyLmg/TsNQ1oP:qonU+ax4e2myF2x+W21rdpP4ZtZELT8f
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2652 SVCHOST.EXE 2856 Pinnacle.exe -
resource yara_rule behavioral2/files/0x0007000000023406-41.dat upx behavioral2/memory/2856-50-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/2856-56-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/2856-69-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "c:\\windows\\SVCHOST.EXE" 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2856-56-0x0000000000400000-0x00000000004A4000-memory.dmp autoit_exe behavioral2/memory/2856-69-0x0000000000400000-0x00000000004A4000-memory.dmp autoit_exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created \??\c:\windows\SVCHOST.EXE 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe File created \??\c:\windows\Pinnacle.exe 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe File opened for modification \??\c:\windows\svchost.inf SVCHOST.EXE File created \??\c:\windows\svchost.inf 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2856 Pinnacle.exe 2652 SVCHOST.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe 2856 Pinnacle.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2652 SVCHOST.EXE 2652 SVCHOST.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1112 wrote to memory of 2652 1112 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 82 PID 1112 wrote to memory of 2652 1112 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 82 PID 1112 wrote to memory of 2652 1112 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 82 PID 1112 wrote to memory of 2856 1112 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 83 PID 1112 wrote to memory of 2856 1112 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 83 PID 1112 wrote to memory of 2856 1112 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\windows\SVCHOST.EXE"C:\windows\SVCHOST.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
C:\windows\Pinnacle.exe"C:\windows\Pinnacle.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD5b2755b1b19afb6f091b95a04fcfc7e32
SHA113bb01e2c504b1d76ad20931c33bf1361b8a07e8
SHA2568ec3c7cc0cade861b181c9ebe19b970ee5bdad92cc50d1fc5de8bcc1b3b831ac
SHA5120ee56aa01f3861179aed1790b2ac619c3b0e03ceda4e188fdced6b49c5f9e7d3bbc510f54e8e7b69dcaee2f92594d9e536982e4e5bd4eda5763941651661669e
-
Filesize
500KB
MD52c3a3dfc019e42a6dc14ff2c2de71cd6
SHA1c5013a9e0253928d75176a238bd21ff311364e9e
SHA256d4e7e8e9f0d90d90029c83cdfbe5810bb1b20605d50cd57ef008f63dbe44c858
SHA512f830f3c4fe0c8bf507f541b7c82eba93370c81fcbbaf89e54492873086838e20ac3a4d55957263138f4e76e7cb059ea55ca49dd0e672a4d237b0aa37e1e7abf8
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74