Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 06:10
Static task
static1
Behavioral task
behavioral1
Sample
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe
-
Size
341KB
-
MD5
14f204348c8a1092929f8de9140a61fc
-
SHA1
2dd400491f442384bad0a653d16a32b4890bfc88
-
SHA256
44c4b503e0e057900c9480c6db018d3a4fd36a963bc573ed9cdeffe8d9254d70
-
SHA512
49e9769fe5ab587baa8c5ba9c71712fb86b324fd1676057ac87e8009ae9728e672de8c92cd10dd190b39b5de353cfe1186c460ff572f4b53ffa21df1ac44f9fa
-
SSDEEP
6144:hFtTlXtdNCMHjDIlqePRJSnteu0tGPJd4Q1FDea7ID5HCFJOZ/FrOFg:BxX7NCAjjePRkouFP8gpfJOZ9a
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exelssam.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation lssam.exe -
Executes dropped EXE 2 IoCs
Processes:
lssam.exespolsv.exepid process 2420 lssam.exe 4376 spolsv.exe -
Processes:
resource yara_rule behavioral2/memory/3572-7-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/3572-8-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/3572-9-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/3572-11-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/3572-10-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4248-31-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4248-33-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4248-32-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lssam.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lssam.exe" lssam.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exeAppLaunch.exespolsv.exeAppLaunch.exedescription pid process target process PID 3672 set thread context of 3572 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 3572 set thread context of 2640 3572 AppLaunch.exe iexplore.exe PID 4376 set thread context of 4248 4376 spolsv.exe AppLaunch.exe PID 4248 set thread context of 3704 4248 AppLaunch.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exelssam.exespolsv.exepid process 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 4376 spolsv.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 2420 lssam.exe 4376 spolsv.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 2420 lssam.exe 4376 spolsv.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 2420 lssam.exe 4376 spolsv.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 2420 lssam.exe 4376 spolsv.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 2420 lssam.exe 4376 spolsv.exe 4376 spolsv.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2420 lssam.exe 2420 lssam.exe 4376 spolsv.exe 4376 spolsv.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exeAppLaunch.exelssam.exespolsv.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3572 AppLaunch.exe Token: SeSecurityPrivilege 3572 AppLaunch.exe Token: SeTakeOwnershipPrivilege 3572 AppLaunch.exe Token: SeLoadDriverPrivilege 3572 AppLaunch.exe Token: SeSystemProfilePrivilege 3572 AppLaunch.exe Token: SeSystemtimePrivilege 3572 AppLaunch.exe Token: SeProfSingleProcessPrivilege 3572 AppLaunch.exe Token: SeIncBasePriorityPrivilege 3572 AppLaunch.exe Token: SeCreatePagefilePrivilege 3572 AppLaunch.exe Token: SeBackupPrivilege 3572 AppLaunch.exe Token: SeRestorePrivilege 3572 AppLaunch.exe Token: SeShutdownPrivilege 3572 AppLaunch.exe Token: SeDebugPrivilege 3572 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 3572 AppLaunch.exe Token: SeChangeNotifyPrivilege 3572 AppLaunch.exe Token: SeRemoteShutdownPrivilege 3572 AppLaunch.exe Token: SeUndockPrivilege 3572 AppLaunch.exe Token: SeManageVolumePrivilege 3572 AppLaunch.exe Token: SeImpersonatePrivilege 3572 AppLaunch.exe Token: SeCreateGlobalPrivilege 3572 AppLaunch.exe Token: 33 3572 AppLaunch.exe Token: 34 3572 AppLaunch.exe Token: 35 3572 AppLaunch.exe Token: 36 3572 AppLaunch.exe Token: SeDebugPrivilege 2420 lssam.exe Token: SeDebugPrivilege 4376 spolsv.exe Token: SeIncreaseQuotaPrivilege 4248 AppLaunch.exe Token: SeSecurityPrivilege 4248 AppLaunch.exe Token: SeTakeOwnershipPrivilege 4248 AppLaunch.exe Token: SeLoadDriverPrivilege 4248 AppLaunch.exe Token: SeSystemProfilePrivilege 4248 AppLaunch.exe Token: SeSystemtimePrivilege 4248 AppLaunch.exe Token: SeProfSingleProcessPrivilege 4248 AppLaunch.exe Token: SeIncBasePriorityPrivilege 4248 AppLaunch.exe Token: SeCreatePagefilePrivilege 4248 AppLaunch.exe Token: SeBackupPrivilege 4248 AppLaunch.exe Token: SeRestorePrivilege 4248 AppLaunch.exe Token: SeShutdownPrivilege 4248 AppLaunch.exe Token: SeDebugPrivilege 4248 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 4248 AppLaunch.exe Token: SeChangeNotifyPrivilege 4248 AppLaunch.exe Token: SeRemoteShutdownPrivilege 4248 AppLaunch.exe Token: SeUndockPrivilege 4248 AppLaunch.exe Token: SeManageVolumePrivilege 4248 AppLaunch.exe Token: SeImpersonatePrivilege 4248 AppLaunch.exe Token: SeCreateGlobalPrivilege 4248 AppLaunch.exe Token: 33 4248 AppLaunch.exe Token: 34 4248 AppLaunch.exe Token: 35 4248 AppLaunch.exe Token: 36 4248 AppLaunch.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exeAppLaunch.exelssam.exespolsv.exeAppLaunch.exedescription pid process target process PID 3672 wrote to memory of 3572 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 3672 wrote to memory of 3572 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 3672 wrote to memory of 3572 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 3672 wrote to memory of 3572 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 3672 wrote to memory of 3572 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 3672 wrote to memory of 3572 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 3672 wrote to memory of 3572 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 3672 wrote to memory of 3572 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 3572 wrote to memory of 2640 3572 AppLaunch.exe iexplore.exe PID 3572 wrote to memory of 2640 3572 AppLaunch.exe iexplore.exe PID 3572 wrote to memory of 2640 3572 AppLaunch.exe iexplore.exe PID 3572 wrote to memory of 2640 3572 AppLaunch.exe iexplore.exe PID 3572 wrote to memory of 2640 3572 AppLaunch.exe iexplore.exe PID 3672 wrote to memory of 2420 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe lssam.exe PID 3672 wrote to memory of 2420 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe lssam.exe PID 3672 wrote to memory of 2420 3672 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe lssam.exe PID 2420 wrote to memory of 4376 2420 lssam.exe spolsv.exe PID 2420 wrote to memory of 4376 2420 lssam.exe spolsv.exe PID 2420 wrote to memory of 4376 2420 lssam.exe spolsv.exe PID 4376 wrote to memory of 4248 4376 spolsv.exe AppLaunch.exe PID 4376 wrote to memory of 4248 4376 spolsv.exe AppLaunch.exe PID 4376 wrote to memory of 4248 4376 spolsv.exe AppLaunch.exe PID 4376 wrote to memory of 4248 4376 spolsv.exe AppLaunch.exe PID 4376 wrote to memory of 4248 4376 spolsv.exe AppLaunch.exe PID 4376 wrote to memory of 4248 4376 spolsv.exe AppLaunch.exe PID 4376 wrote to memory of 4248 4376 spolsv.exe AppLaunch.exe PID 4376 wrote to memory of 4248 4376 spolsv.exe AppLaunch.exe PID 4248 wrote to memory of 3704 4248 AppLaunch.exe iexplore.exe PID 4248 wrote to memory of 3704 4248 AppLaunch.exe iexplore.exe PID 4248 wrote to memory of 3704 4248 AppLaunch.exe iexplore.exe PID 4248 wrote to memory of 3704 4248 AppLaunch.exe iexplore.exe PID 4248 wrote to memory of 3704 4248 AppLaunch.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\System\lssam.exe"C:\Users\Admin\AppData\Local\Temp\System\lssam.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵PID:3704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:81⤵PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5b347591498c2c74cc3c23597cb1f34cc
SHA127054194904202938e3e7cdb10cf2c291767fdef
SHA25624ada6c187f2c3188bd3e437443822f4f87fd997d9cc8d6d4abf38ba28e8528b
SHA512e365f543b667ccc9b0fe5d3e5827e4df0f0f5a72676f3e7fc498ebe2f84d67d14db54d6742fdabe9c08004c6dce76d7befeac6b3f39ba1163663ae870ea973b6
-
Filesize
341KB
MD514f204348c8a1092929f8de9140a61fc
SHA12dd400491f442384bad0a653d16a32b4890bfc88
SHA25644c4b503e0e057900c9480c6db018d3a4fd36a963bc573ed9cdeffe8d9254d70
SHA51249e9769fe5ab587baa8c5ba9c71712fb86b324fd1676057ac87e8009ae9728e672de8c92cd10dd190b39b5de353cfe1186c460ff572f4b53ffa21df1ac44f9fa