Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 20:47
Static task
static1
Behavioral task
behavioral1
Sample
2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
2dbe8acd23d12f9f1fbeeaeead8c667a
-
SHA1
8f0fce3f465aa5e3699599cbfb3ff94f49ce181e
-
SHA256
7277f1d3ddf844d18b2b0f95b620c8617736ad6703234fee2cb46299590180fe
-
SHA512
07f92bea16c99eaf1887856a679f8f3b6a3d8aab081532396d89c51023513418f4d102959b0ff6676cbbb11ec4819315092c36d06f3939df34c1fae44bc0802d
-
SSDEEP
98304:XcrwuJxGYegQbB5DAowDOA3wRbVZ3oG3zmQH0QRK5fl0Ax:jAEYiyvwRbVSGDmESdb
Malware Config
Extracted
bitrat
1.34
79.134.225.74:1973
-
communication_password
f49a6667c09a9e329afb64bc0a18a188
-
tor_process
tor
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 3980 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 3980 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 3980 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 3980 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 820 set thread context of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2116 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 3980 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3980 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 3980 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 820 wrote to memory of 2116 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 88 PID 820 wrote to memory of 2116 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 88 PID 820 wrote to memory of 2116 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 88 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90 PID 820 wrote to memory of 3980 820 2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nrOBwFtgJDP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF95F.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2116
-
-
C:\Users\Admin\AppData\Local\Temp\2dbe8acd23d12f9f1fbeeaeead8c667a_JaffaCakes118.exe"{path}"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD565a473699ffab5bc4a300c43249e0527
SHA17bbbe5776d680269888c16f79a24de7202ee2d6c
SHA256e1ee8038d6429da7e9a6866689c994b5be0ad4ece653fb3a04b5e5bd74c4ddd8
SHA51286a826bfbcacd4c62278c0434457c90018e3b10bcbcdbc55828e832dab8125d11375369701b7642ea1960576c6a17eef828f2415b9a58a9fe2a2705155e20193