Analysis
-
max time kernel
90s -
max time network
84s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 04:17
Static task
static1
Behavioral task
behavioral1
Sample
10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe
-
Size
148KB
-
MD5
10b145cfb95a3ba1a16460cbae99e607
-
SHA1
fe5bdb1ca76fb0a29b72a15856f356ddbe5fff9f
-
SHA256
280b9d8bb4ec80336b10766fff7ab363fcde1524963910a45d95d8ec46183ede
-
SHA512
12309ee46b8fc8877779da60d721cda25d7e8bafa80cccb5e9a8d489acaa60b407395ea7be84750997106ed8572859ccb632f529ec64ca8a266a3936a80d9f21
-
SSDEEP
3072:ZwH1uIIPhvpE6cXjA8iVUAWGaqqqBSpXuWMfujoMITjWR:O/EFpkXsDePGaqqqBmMfujPB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe -
Executes dropped EXE 2 IoCs
pid Process 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 2056 fylshnjvyuuhuiky.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3036 4812 WerFault.exe 82 4692 3688 WerFault.exe 89 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425537298" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F64EC298-3372-11EF-BCA5-66D3FDB32ECD} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe Token: SeSecurityPrivilege 2056 fylshnjvyuuhuiky.exe Token: SeLoadDriverPrivilege 2056 fylshnjvyuuhuiky.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE 3528 IEXPLORE.EXE 3528 IEXPLORE.EXE 3528 IEXPLORE.EXE 3528 IEXPLORE.EXE 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE 4016 IEXPLORE.EXE 4016 IEXPLORE.EXE 4016 IEXPLORE.EXE 4016 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1840 wrote to memory of 3860 1840 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe 81 PID 1840 wrote to memory of 3860 1840 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe 81 PID 1840 wrote to memory of 3860 1840 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe 81 PID 3860 wrote to memory of 4812 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 82 PID 3860 wrote to memory of 4812 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 82 PID 3860 wrote to memory of 4812 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 82 PID 3860 wrote to memory of 4812 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 82 PID 3860 wrote to memory of 4812 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 82 PID 3860 wrote to memory of 4812 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 82 PID 3860 wrote to memory of 4812 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 82 PID 3860 wrote to memory of 4812 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 82 PID 3860 wrote to memory of 4812 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 82 PID 3860 wrote to memory of 2120 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 86 PID 3860 wrote to memory of 2120 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 86 PID 3860 wrote to memory of 2120 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 86 PID 2120 wrote to memory of 1056 2120 iexplore.exe 87 PID 2120 wrote to memory of 1056 2120 iexplore.exe 87 PID 1056 wrote to memory of 3528 1056 IEXPLORE.EXE 88 PID 1056 wrote to memory of 3528 1056 IEXPLORE.EXE 88 PID 1056 wrote to memory of 3528 1056 IEXPLORE.EXE 88 PID 3860 wrote to memory of 3688 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 89 PID 3860 wrote to memory of 3688 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 89 PID 3860 wrote to memory of 3688 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 89 PID 3860 wrote to memory of 3688 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 89 PID 3860 wrote to memory of 3688 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 89 PID 3860 wrote to memory of 3688 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 89 PID 3860 wrote to memory of 3688 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 89 PID 3860 wrote to memory of 3688 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 89 PID 3860 wrote to memory of 3688 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 89 PID 3860 wrote to memory of 2620 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 94 PID 3860 wrote to memory of 2620 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 94 PID 3860 wrote to memory of 2620 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 94 PID 2620 wrote to memory of 2368 2620 iexplore.exe 95 PID 2620 wrote to memory of 2368 2620 iexplore.exe 95 PID 1056 wrote to memory of 4016 1056 IEXPLORE.EXE 96 PID 1056 wrote to memory of 4016 1056 IEXPLORE.EXE 96 PID 1056 wrote to memory of 4016 1056 IEXPLORE.EXE 96 PID 3860 wrote to memory of 2056 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 99 PID 3860 wrote to memory of 2056 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 99 PID 3860 wrote to memory of 2056 3860 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 2044⤵
- Program crash
PID:3036
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3528
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:17416 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4016
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 2084⤵
- Program crash
PID:4692
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
- Modifies Internet Explorer settings
PID:2368
-
-
-
C:\Users\Admin\AppData\Local\Temp\fylshnjvyuuhuiky.exe"C:\Users\Admin\AppData\Local\Temp\fylshnjvyuuhuiky.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4812 -ip 48121⤵PID:2136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3688 -ip 36881⤵PID:3372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD510d2e087710c80d11a2e482cd3a13731
SHA15623e43b4ac7c528449e67bc11cedabe369df54c
SHA256607b206b4baecc7a0be6c0518b8733fb5c4364b7098a262a03befbbfd0d30335
SHA51268b991baad83dc781e8a5ba69d0edfad7e90122618b5c1f178a01a0481a8f43e200cbd7f5702449ec758361ac8f1a1596e7400bd9561a86cbeff31a876a2f65a
-
Filesize
380B
MD57417ffe469b7a551aa54cbffec528ae7
SHA108e1f77dcfcc625c6c70f0bd3029db5e2d10a21e
SHA256dd8d44a7602480e0c59ee75c7eead5c109c2bd54818851953b5760218c3e4517
SHA5127efe91b96095d23128b3db4af6579ef82c91c41e2881cf3930b2f2bda32e61e9b47d46819806879f435731898a6884e00c6d58ad25f2da558e5f7f270006d8e4