Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 19:20
Behavioral task
behavioral1
Sample
31a65114299c4405949acd4858778934_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
31a65114299c4405949acd4858778934_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
31a65114299c4405949acd4858778934_JaffaCakes118.exe
-
Size
81KB
-
MD5
31a65114299c4405949acd4858778934
-
SHA1
9f09f4d6e61bac7d547cda9cc1c66d88df0020d5
-
SHA256
05aaf2d4855f765e016ad7fb7d55531cc6f03a5b7b31553aa81d7cea6c4597cd
-
SHA512
430d87aa28263ca94c16aec2803f73691727bf4f8bfac6d95e3ef7342dd64b3201b94aef88fd666f4d4800078bce2be70b2da0ab3109014ec8d07463153f6142
-
SSDEEP
1536:jKDPPTHbuzvZPtXjVaAZbBh8WconV1NNwYGO7ZCuWJ1lOIhsOV8Q62/do:jqPPTHKzRlVaAZtcGV1NNweWJ17em8Qe
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 31a65114299c4405949acd4858778934_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4328 g5vH2Hrr.exe -
resource yara_rule behavioral2/memory/4644-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4644-1-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4644-4-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x00030000000229db-9.dat upx behavioral2/memory/4328-14-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4328-15-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\g5vH2Hrr.exe 31a65114299c4405949acd4858778934_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\g5vH2Hrr.exe 31a65114299c4405949acd4858778934_JaffaCakes118.exe File created C:\Windows\SysWOW64\g5vH2Hrr.exe g5vH2Hrr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4644 31a65114299c4405949acd4858778934_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4328 g5vH2Hrr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4644 wrote to memory of 4328 4644 31a65114299c4405949acd4858778934_JaffaCakes118.exe 85 PID 4644 wrote to memory of 4328 4644 31a65114299c4405949acd4858778934_JaffaCakes118.exe 85 PID 4644 wrote to memory of 4328 4644 31a65114299c4405949acd4858778934_JaffaCakes118.exe 85 PID 4644 wrote to memory of 2736 4644 31a65114299c4405949acd4858778934_JaffaCakes118.exe 86 PID 4644 wrote to memory of 2736 4644 31a65114299c4405949acd4858778934_JaffaCakes118.exe 86 PID 4644 wrote to memory of 2736 4644 31a65114299c4405949acd4858778934_JaffaCakes118.exe 86 PID 4328 wrote to memory of 4836 4328 g5vH2Hrr.exe 87 PID 4328 wrote to memory of 4836 4328 g5vH2Hrr.exe 87 PID 4328 wrote to memory of 4836 4328 g5vH2Hrr.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\31a65114299c4405949acd4858778934_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31a65114299c4405949acd4858778934_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\g5vH2Hrr.exe"C:\Windows\system32\g5vH2Hrr.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\g5vH2Hrr.exe > nul3⤵PID:4836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\31A651~1.EXE > nul2⤵PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD531a65114299c4405949acd4858778934
SHA19f09f4d6e61bac7d547cda9cc1c66d88df0020d5
SHA25605aaf2d4855f765e016ad7fb7d55531cc6f03a5b7b31553aa81d7cea6c4597cd
SHA512430d87aa28263ca94c16aec2803f73691727bf4f8bfac6d95e3ef7342dd64b3201b94aef88fd666f4d4800078bce2be70b2da0ab3109014ec8d07463153f6142