Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 08:05
Static task
static1
Behavioral task
behavioral1
Sample
114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe
-
Size
448KB
-
MD5
114a2cbd4baa8f99839403dfdfa970a3
-
SHA1
cf12815ccd4d9bcfcd2e295e6f84bb97692b8a0a
-
SHA256
f92beb2a4d338f69c1d6e5248ba6384e7c1dfc31a7f5f485c1ef5d2a71538720
-
SHA512
0bc01d6061b4aeb4631e08a21e101779f50c964d86aa469485e7f100d3efda906190a04cde99daac5c69b9a73ed399fac7a551ed21337e7575e19d623fa67839
-
SSDEEP
12288:WyFthhLwcD96lU5JFDqYQ/IeTLHQBLfgmFg:Wy7hNwJlU3F9H
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe -
resource yara_rule behavioral2/files/0x0007000000023513-8.dat vmprotect -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\JoachimPeiper.dat 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe File created C:\Windows\rxing.bat 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe File created C:\Windows\mssoft.bat 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2536 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115167" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3082769162" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115167" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3080737750" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2e58ab8bf361247b7301f68e304ddb2000000000200000000001066000000010000200000009068fb081f86ad7eff629c50e450ce6b221ccfed372cca03a599d9d406e6be10000000000e8000000002000020000000401f313e7c8bd28c8d1df82dee4000b6086d21aad1f3e8eaf5780de3af461f3820000000429a29119516307a954360e67029ad4df89ea5a6630d3065355d099266ac663440000000be1069ca3bbbb40ccdd55e1f04eb9dfaa1768d4f1be6baa9a5126b5eecc3815738cd0c7a0a213fd785cd0968f2b10928fb505ddaa4004f65aa85e4f711d10530 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f029b7b89fc7da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426154118" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2e58ab8bf361247b7301f68e304ddb2000000000200000000001066000000010000200000005e309f62241fefc66debdd8e3ad6696760d397e2ee26b91ecac622d5bc23931a000000000e8000000002000020000000bfa224357e5ee513980ae2e7982640eb325b02f922c655beacbd7f62e3e48c2d20000000c81ced283989907b011dbb44277dd5a81f558e0e60bfe75a7a3abaea695c4ca0400000002c2ee1acc4705f8e7faade1bdd81186acffc5f5a9a0bcd5e66528d3f9dca59c3a17569f567ccbc580f3909c930cf37f2064fafe437822ef9012965b29ec6a387 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0e4bbb89fc7da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E335641E-3392-11EF-B8C0-E659512317F8} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3080737750" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115167" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2520 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2536 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2636 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2636 iexplore.exe 2636 iexplore.exe 1164 IEXPLORE.EXE 1164 IEXPLORE.EXE 1164 IEXPLORE.EXE 1164 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2520 wrote to memory of 4604 2520 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe 95 PID 2520 wrote to memory of 4604 2520 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe 95 PID 2520 wrote to memory of 4604 2520 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe 95 PID 2224 wrote to memory of 1816 2224 explorer.exe 97 PID 2224 wrote to memory of 1816 2224 explorer.exe 97 PID 2520 wrote to memory of 2636 2520 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe 103 PID 2520 wrote to memory of 2636 2520 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe 103 PID 2520 wrote to memory of 668 2520 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe 104 PID 2520 wrote to memory of 668 2520 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe 104 PID 2520 wrote to memory of 668 2520 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe 104 PID 668 wrote to memory of 2536 668 cmd.exe 106 PID 668 wrote to memory of 2536 668 cmd.exe 106 PID 668 wrote to memory of 2536 668 cmd.exe 106 PID 2636 wrote to memory of 1164 2636 iexplore.exe 107 PID 2636 wrote to memory of 1164 2636 iexplore.exe 107 PID 2636 wrote to memory of 1164 2636 iexplore.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\nod816.bat2⤵PID:4604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\mssoft.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im qq.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3644,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:81⤵PID:2316
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\nod816.bat" "2⤵PID:1816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5b9b9f42ce6d2b20bf169d05480d239d4
SHA132b094cc2ff79f07fcd68d585846b919bc350e4d
SHA2564d16bb8c9a34d4de9d39bb5f0e87095617b5ad551112db17b38b6cb752fbdae4
SHA51236b45c544439c6b1fab4c2fa58712475a65ad467e3da61086c4a953d6587d35f5c6ae7de740863295ae0d3534cbf67d0bed6843d95b6786b50431bfeebcf1010
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5c146dedfc5f3150f85d6a3c3d8578f12
SHA1f4bbe6738ceec0d0ea01f7d259c8d812e7d44230
SHA2560397b7a212674b4b75f1c94ee0e6eae8a38da894d2b91dd7425544f4d0952f0b
SHA51290d36d369a14ad5f98e5ba08875a8c6cc71aca03b0857a26a9caccc719d3b0f4bde7ed0a366dd30a9a2f54a4ddee8934770ca5607ac053c4b717bacf2b2aca5f
-
Filesize
5KB
MD59f1f214c16ae092065c5a1596033d25d
SHA1654ae7c44a31f27b0ab6653764533f15e57733a5
SHA2565296612f7fe8745dda58d4bb565cd8a6e004ddd6035392c5481625788bc48b62
SHA512f9bfd9c544a5d91681db7b8f0d513de3d2c0e5dae7fa033dc53c591b0a5fd18f87e4439036328a85a639c2c61e8599c544d1bc61edb221dcdcb5e5f8ab939c68
-
Filesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
25B
MD53d7c7b33e3c17d8a0ff01e4647ba538b
SHA11c6f75ddb631093d3f6563d00eb0e0b959779e38
SHA256f2b5fcb625c6d60c62be2d371d45910506c4a650e6e1a994d0f284740d764c8e
SHA5129ac3b3359c342f8d1d5c7b31abbe5a3797b1d642e907d3c1e8706dc632ac1d9215c4eeaeed454e552217a44cac6e71a3c6bbdb670f0df5450922777bf3b84a15
-
Filesize
18.2MB
MD5de9b364971e516df97025c91f56a52b7
SHA1f2d0b2dc72cebc45855ba1ef830bdeda81bccf31
SHA25655cd4824054e26f311118fc1630be26f33c1d8fda552fbe5146c9ca7dbad503f
SHA5129777a6ce9bf44fd5d426acc1ddc73910908b9fef1ed942c72e7a4c77fa689f3f91c053cd61690e75b8ae59948ff36e937e5b4cbcd197dff574d32e4d11bc6e1d
-
Filesize
374B
MD5c9c561c8d6c771461a8ffa1adfab82a1
SHA1ab0d4ecd4e6750cd9c88d007dd39fa8e9abfff0d
SHA256fc5f49def9045d1f16ed8b63ee17dc9ecb8813348070a5c34d4ae073184dd077
SHA5121591a86ecb930b594b2b0be8ef8675dfad7b3b73fef28ebe95e9dfacb8fa4e743f1d3052b01d6bc009a86d12505be6098c698bee2ae52c911c6421c8e4137712