Analysis
-
max time kernel
47s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 00:06
Static task
static1
Behavioral task
behavioral1
Sample
0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe
-
Size
310KB
-
MD5
0b6d1a782246c0afb602c1a6548892ab
-
SHA1
26a13cec3e01beefab1ac83e0fffbbfaccc60616
-
SHA256
0d13b46286128dd6e2dd217bb33c1cc6e48b444d9501e0843443d151bc339c32
-
SHA512
ab9145e10232857577b279ed925034ba417df595267bf4d49a253e63d3f8df2dfdae3a899bc05d887d7c818bd7419d182576d676631d3ed5fba390a05ccfc814
-
SSDEEP
6144:Vw8bgKZh/N1tysPVpfJxYWqMK2A9F3tGR7PapETwwUPd004ppQke:Vw80KZh/N1tygRxYIKP3tG7PHT2K0fv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2660 vab0726ze.exe -
Loads dropped DLL 2 IoCs
pid Process 2660 vab0726ze.exe 2660 vab0726ze.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BTStacAvs = "C:\\Users\\Admin\\BTStacAvs.exe" vab0726ze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HkAvgLrj = "C:\\Users\\Admin\\HkAvgLrj.exe" vab0726ze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BTStacFrr = "C:\\Users\\Admin\\BTStacFrr.exe" vab0726ze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BTStacPgn = "C:\\Users\\Admin\\BTStacPgn.exe" vab0726ze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsgrUpd = "C:\\Users\\Admin\\MsgrUpd.exe" vab0726ze.exe -
Document created with cracked Office version 1 IoCs
Office document contains Grizli777 string known to be caused by using a cracked version of the software.
resource yara_rule behavioral2/files/0x00070000000233bf-19.dat grizli777_cracked_office -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\config\__tmp_rar_sfx_access_check_240612593 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\config\vab0726ze.exe 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\config\vab0726ze.pps 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\config\vazb0620px.bat 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysWOW64\config\vazb0620px.bat 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\config\LdrAdc.dll 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysWOW64\config\LdrAdc.dll 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysWOW64\config\vab0726ze.exe 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysWOW64\config\vab0726ze.pps 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 720 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 720 POWERPNT.EXE 720 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 968 wrote to memory of 1436 968 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe 81 PID 968 wrote to memory of 1436 968 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe 81 PID 968 wrote to memory of 1436 968 0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe 81 PID 1436 wrote to memory of 2660 1436 cmd.exe 83 PID 1436 wrote to memory of 2660 1436 cmd.exe 83 PID 1436 wrote to memory of 2660 1436 cmd.exe 83 PID 1436 wrote to memory of 720 1436 cmd.exe 84 PID 1436 wrote to memory of 720 1436 cmd.exe 84 PID 1436 wrote to memory of 720 1436 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0b6d1a782246c0afb602c1a6548892ab_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\WINDOWS\system32\config\vazb0620px.bat" "2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\config\vab0726ze.exevab0726ze.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2660
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Windows\System32\config\vab0726ze.pps" /ou ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:720
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243B
MD5c6a0739c021bb5858ec6c6de1bf4defc
SHA14333ec7cdc0477bc6c0d4d70c6655d933eccec3f
SHA2569a03e38cd7c3930c4f0251e281310c359c0c328ef895c37d8ff935616f5ba94a
SHA51250c21fe8b8197ce38d3f429757153b3d260a8473640330ff7a7b938f9fd180b7c659a3d77af31a99138b258171f66bda8a6350dfc6983f29cb7e70e09105f2c1
-
Filesize
88KB
MD5c7cdd580237ffac1704ffc1c93a9a328
SHA1a69ad77cf351be1cb53e6a3ca990a37b03297a1d
SHA256d3e7ce933dc7ece16066033b740eb0ef7c9a0d45d496babd42e8b8b163f87bc4
SHA5124ee4ec1828ebf99134c6f4a539b9a448566a333c1ef8baf45095f43ba90551105e2fd0ebc529094034644816baf0c4892dddd634ca40397367d1bde64f2d0fc3
-
Filesize
375KB
MD5249c96ac98d01d6d33fe63045c244a6d
SHA1caf03883a3dd584116bf4b5797c6a96bbdb06587
SHA2565f0c62ab8647416443254a9f29dddbee33934a7082ef189d988ad78dcd1c3c68
SHA512212fb0f9294483c62a0334d1ce142f82629d2a3ed315fe6e31c913777b5f1a176ed93d3419a8446a7ffbd2b3198d222cdb0e98330274a05408c82a6db25eccbf
-
Filesize
97KB
MD5b8e80e2b539ff450e7f5ba4998bbcfa5
SHA1ba42ff9c3353b0e84ca0dd2c5c34f6969712f358
SHA256526f8ac5139e0ce09a6b098944bb81c15fda3d816c134eabb02f92e3c9d318f0
SHA512f0064716ee1fe78055d895323e71b6ed2bf3e94b177512340513ec003aefa6cb3ea4edec245f36eb575e2f6d8873671ea364b4454aad01a675ff8e1e4823f4c7