Analysis
-
max time kernel
101s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 22:31
Behavioral task
behavioral1
Sample
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe
-
Size
389KB
-
MD5
13b5fbb2847f2f50d7b7427f9c1d892b
-
SHA1
ade31cdbbf6ab44e1333fe4b26e3c20345c0e723
-
SHA256
353a89691d9d7e9ac7dd5b723da84e4e84abb2a6a9988b5688b7b320ed61de5e
-
SHA512
e32816a467d8639a1fad36171d5d49c176d21e15f574512e494f1d1ffcfbd4b963f2e07e4abc8c15f6137751270d48aeb8c44725bdc77eeac2baaa53105dc75e
-
SSDEEP
12288:c0Siiu2cOMayaZerXXmhFXtVwrypCQTubDf:K3gV6eihQOXTID
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
SERVXD.EXESERVXD.EXEpid process 1784 SERVXD.EXE 2808 SERVXD.EXE -
Processes:
resource yara_rule behavioral2/memory/3292-0-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-1-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-2-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-4-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-6-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-22-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-28-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-29-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-30-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-39-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-56-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-57-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-58-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3292-62-0x0000000000400000-0x00000000004EA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exeSERVXD.EXESERVXD.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeSecurityPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeSystemtimePrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeBackupPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeRestorePrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeShutdownPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeDebugPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeUndockPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeManageVolumePrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeImpersonatePrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: 33 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: 34 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: 35 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: 36 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeDebugPrivilege 2808 SERVXD.EXE Token: SeDebugPrivilege 1784 SERVXD.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exepid process 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exedescription pid process target process PID 3292 wrote to memory of 1784 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 3292 wrote to memory of 1784 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 3292 wrote to memory of 1784 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 3292 wrote to memory of 2808 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 3292 wrote to memory of 2808 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 3292 wrote to memory of 2808 3292 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\SERVXD.EXE"C:\Users\Admin\AppData\Local\Temp\SERVXD.EXE"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\SERVXD.EXEC:\Users\Admin\AppData\Local\Temp\SERVXD.EXE3⤵PID:4220
-
C:\Users\Admin\AppData\Roaming\iexplorer.exe"C:\Users\Admin\AppData\Roaming\iexplorer.exe"4⤵PID:2588
-
C:\Users\Admin\AppData\Roaming\iexplorer.exeC:\Users\Admin\AppData\Roaming\iexplorer.exe5⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\PerfWatsonPackage.exe"C:\Users\Admin\AppData\Local\Temp\PerfWatsonPackage.exe"3⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\msvbprj.exe"C:\Users\Admin\AppData\Local\Temp\msvbprj.exe"4⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\msvbprj.exeC:\Users\Admin\AppData\Local\Temp\msvbprj.exe5⤵PID:3216
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 12486⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\SERVXD.EXE"C:\Users\Admin\AppData\Local\Temp\SERVXD.EXE"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\SERVXD.EXEC:\Users\Admin\AppData\Local\Temp\SERVXD.EXE3⤵PID:4388
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 16484⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\PerfWatsonPackage.exe"C:\Users\Admin\AppData\Local\Temp\PerfWatsonPackage.exe"3⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\msvbprj.exe"C:\Users\Admin\AppData\Local\Temp\msvbprj.exe"4⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\msvbprj.exeC:\Users\Admin\AppData\Local\Temp\msvbprj.exe5⤵PID:3460
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 12766⤵PID:3656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:5096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD590973b481f87e48d8a202ce7275c37de
SHA1c8c6d63228513faed508f0804b4801c1dadeeef4
SHA256c66c9444596a5c759dbd83aadb245506c06b1eafc40a944d362479699a99ceb1
SHA51264a0a799263312c8223e13f5091a0a4abbfe0300887d810fcbc10038a06142e49589cfc0d39585763fb8c232ae1ed59ec50ca3c3afaa8d277d0ae9fc847b80af
-
Filesize
35KB
MD55de5595461e7d2128487452a00021d0b
SHA1475ac303168d7165ba5d51df5b46e5e6169d03fc
SHA2562cf9865737b18d9bde9e44c59a039655dca28706f55097a149361e6b6bf54259
SHA512799ed7527dedce3e602751032b68d21f619daa45c39d608f07973e9ce316dde947ed716c7f119989f2d7d793a6b14ae05b4f103d49d2b80fe8acd67faac509ca
-
Filesize
132KB
MD5bfcda558599642269b2856d4d80b58ee
SHA109c0831620131bcaca74307730cc43c67522b2ba
SHA2566e72cf5e30718749d6e926742bd6b9b5466194b0a7e9cbea0b38d76c41394329
SHA512cabc48867a54a432c9236c0d9fe4e1e019ec185d48a3bfe83548f14eb7e619ae23342917540fb3e28a584a44188a1ed81bd5214d5949e59d554eb5ff468893b2