Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 21:24
Behavioral task
behavioral1
Sample
17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe
-
Size
797KB
-
MD5
17952d6d362fb10f6feba49016730c98
-
SHA1
5b8389cde6345a369a25bd2ae92c54392048b1da
-
SHA256
838f0dfabc78e448aa17c69ad07715f89532ff8deb4081e4952179aafc4a44e2
-
SHA512
caa9bbd20df19c6ce3663621a23ea68557ede61cf7249d60df626b699869ccd624534d6edbd73d46e3bbd7fac8460e6d66c052a5aa5e4fb1262cac38dbbb1be0
-
SSDEEP
12288:sFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0c/q:M3nbWmJVJFwSddIXvfhqbiaxvRFq
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3884 attrib.exe 3380 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17952d6d362fb10f6feba49016730c98_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/2084-0-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral2/memory/1668-9-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral2/memory/2084-10-0x0000000000400000-0x00000000004C9000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
17952d6d362fb10f6feba49016730c98_JaffaCakes118.exedescription pid process target process PID 2084 set thread context of 1668 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1668 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
17952d6d362fb10f6feba49016730c98_JaffaCakes118.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeSecurityPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeSystemtimePrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeBackupPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeRestorePrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeShutdownPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeDebugPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeUndockPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeManageVolumePrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeImpersonatePrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: 33 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: 34 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: 35 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: 36 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1668 iexplore.exe Token: SeSecurityPrivilege 1668 iexplore.exe Token: SeTakeOwnershipPrivilege 1668 iexplore.exe Token: SeLoadDriverPrivilege 1668 iexplore.exe Token: SeSystemProfilePrivilege 1668 iexplore.exe Token: SeSystemtimePrivilege 1668 iexplore.exe Token: SeProfSingleProcessPrivilege 1668 iexplore.exe Token: SeIncBasePriorityPrivilege 1668 iexplore.exe Token: SeCreatePagefilePrivilege 1668 iexplore.exe Token: SeBackupPrivilege 1668 iexplore.exe Token: SeRestorePrivilege 1668 iexplore.exe Token: SeShutdownPrivilege 1668 iexplore.exe Token: SeDebugPrivilege 1668 iexplore.exe Token: SeSystemEnvironmentPrivilege 1668 iexplore.exe Token: SeChangeNotifyPrivilege 1668 iexplore.exe Token: SeRemoteShutdownPrivilege 1668 iexplore.exe Token: SeUndockPrivilege 1668 iexplore.exe Token: SeManageVolumePrivilege 1668 iexplore.exe Token: SeImpersonatePrivilege 1668 iexplore.exe Token: SeCreateGlobalPrivilege 1668 iexplore.exe Token: 33 1668 iexplore.exe Token: 34 1668 iexplore.exe Token: 35 1668 iexplore.exe Token: 36 1668 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1668 iexplore.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
17952d6d362fb10f6feba49016730c98_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2084 wrote to memory of 2824 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 2824 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 2824 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 1824 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 1824 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 1824 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 1668 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2084 wrote to memory of 1668 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2084 wrote to memory of 1668 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2084 wrote to memory of 1668 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2084 wrote to memory of 1668 2084 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2824 wrote to memory of 3884 2824 cmd.exe attrib.exe PID 2824 wrote to memory of 3884 2824 cmd.exe attrib.exe PID 2824 wrote to memory of 3884 2824 cmd.exe attrib.exe PID 1824 wrote to memory of 3380 1824 cmd.exe attrib.exe PID 1824 wrote to memory of 3380 1824 cmd.exe attrib.exe PID 1824 wrote to memory of 3380 1824 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3380 attrib.exe 3884 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3380 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701