Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe
-
Size
427KB
-
MD5
03fd88d8f05195bc19df0535edfef93d
-
SHA1
e5ec45312f8845bc07d5cb6c7ded13a790ea0ca9
-
SHA256
e755de6be09f7b991a263275d3afe6c6211ffc0c246670e71f03813165a42f4e
-
SHA512
92569e7aae2304fcfab30427bb5636ef7eb01d5fc76834116e507633949d9dc59b33910e17fd5199124522d7eb74505db4411d64f0b70b8ee298945f6312157f
-
SSDEEP
3072:yHIVFBdEn/l+HL+pZFHoFN6WtljaJuloHs+L:pVB2+HL+pZFHoFN6WtljaJul+p
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4240 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
[Mr.Abu Hani].exepid process 100 [Mr.Abu Hani].exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
dw20.exe[Mr.Abu Hani].exedescription pid process Token: SeRestorePrivilege 1548 dw20.exe Token: SeBackupPrivilege 1548 dw20.exe Token: SeBackupPrivilege 1548 dw20.exe Token: SeBackupPrivilege 1548 dw20.exe Token: SeDebugPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe Token: 33 100 [Mr.Abu Hani].exe Token: SeIncBasePriorityPrivilege 100 [Mr.Abu Hani].exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe[Mr.Abu Hani].exedescription pid process target process PID 3492 wrote to memory of 100 3492 03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe [Mr.Abu Hani].exe PID 3492 wrote to memory of 100 3492 03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe [Mr.Abu Hani].exe PID 3492 wrote to memory of 100 3492 03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe [Mr.Abu Hani].exe PID 3492 wrote to memory of 1548 3492 03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe dw20.exe PID 3492 wrote to memory of 1548 3492 03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe dw20.exe PID 3492 wrote to memory of 1548 3492 03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe dw20.exe PID 100 wrote to memory of 4240 100 [Mr.Abu Hani].exe netsh.exe PID 100 wrote to memory of 4240 100 [Mr.Abu Hani].exe netsh.exe PID 100 wrote to memory of 4240 100 [Mr.Abu Hani].exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03fd88d8f05195bc19df0535edfef93d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe"C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe" "[Mr.Abu Hani].exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4240 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 11282⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD522198418d1cf6454b4ff71f6416e190f
SHA1dc4a2db5e45b41af9b3243088bc931e628693a1c
SHA256a17fd37a3ad304069ec67e614adc27fb49fba50158b1c3cff24614642d6f6926
SHA5120bbfc4bbd1d88b17b2045e41a4afbeb09541375d238bd283d2b071881c382e2c8fcc3de219fbff77374e714bd98280628d5360dbc904c8fbd613d2d3cab74cf3