Analysis
-
max time kernel
157s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 01:21
Static task
static1
Behavioral task
behavioral1
Sample
103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe
-
Size
706KB
-
MD5
103c2fe0fd8d81d0179e9831f5091bce
-
SHA1
c85bf81b22f92002da99ea45513ee4f48a765324
-
SHA256
a748dfd149c8e1f9d390b2c4a9f2646d97da3bebc25940a2fa08335221c2a898
-
SHA512
fa7a2d3eef2072d20719df535672c2b417f3759faceabdaabc9d4b6708722e90c8941e7296990f9a58d2d14367f3d13af68f0e20bdd47b801ab03a2633c49561
-
SSDEEP
12288:CdrAofT5h6l0Lbl8gWsur96h73dvfDqF3Z4mxxsT2A6NgHP9o/l3h6iW:CiO5saLx7ur9ENXWQmXsT25GleTFW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 3.exe -
Executes dropped EXE 2 IoCs
pid Process 4240 3.exe 4188 RunMgr.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\RunMgr.EXE 3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4240 3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2916 wrote to memory of 4240 2916 103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe 92 PID 2916 wrote to memory of 4240 2916 103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe 92 PID 2916 wrote to memory of 4240 2916 103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe 92 PID 4240 wrote to memory of 4188 4240 3.exe 94 PID 4240 wrote to memory of 4188 4240 3.exe 94 PID 4240 wrote to memory of 4188 4240 3.exe 94 PID 4240 wrote to memory of 1904 4240 3.exe 95 PID 4240 wrote to memory of 1904 4240 3.exe 95 PID 4240 wrote to memory of 1904 4240 3.exe 95 PID 4240 wrote to memory of 4164 4240 3.exe 96 PID 4240 wrote to memory of 4164 4240 3.exe 96 PID 4240 wrote to memory of 4164 4240 3.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\RunMgr.EXE"C:\Windows\RunMgr.EXE"3⤵
- Executes dropped EXE
PID:4188
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del %SystemRoot%\Debug.exe3⤵PID:1904
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe > nul3⤵PID:4164
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:2056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD5e860f2c1c383b29df93336cef2e7a661
SHA122d83ee05689d50cd69713fa8f3abd0dc34f41bc
SHA2560dd5d75041c4475490f6f4c6dc8cb5d04f1e22842460937ca3efa8e6ec863e88
SHA512e22bd759ef1a1a33b274d395998c4a5615103623574c43a01b731246b553577d699a7ea44db8dcd961956a26535f7077202ed76b67692a47bd6141cbdf45292b
-
Filesize
290KB
MD502182f44ae69e7e780515c29ebe0923d
SHA1b2ffbef6781db5dd6786937d9c3f9c701d4b5949
SHA256d8dc80b1c28afa0c11fca2f4ef5b49351ea0c7e8dd14e8940d5be25cad6e84b0
SHA5123e0fac29e7270c51db0d8614f6c39236c5bb3ccd2a6b80de33022ce41c16849337b9e48382fa9ad3626c34896f007e55ea143e2a18767f0fc6c0bfa93cac780d