Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 14:05
Static task
static1
Behavioral task
behavioral1
Sample
39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
-
Size
92KB
-
MD5
39701f5c18d18cd690f7ded4f1ea958e
-
SHA1
982abd7a3c93c48536917a958fc97252f5e225e1
-
SHA256
afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c
-
SHA512
cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff
-
SSDEEP
1536:sEUQjlDAMOcnNFCEcK3gGrvOAoY7ld0ckN3wTr3iAkHyy+dOrrrrrr:sVulMMlXE+g41jkNyTr
Malware Config
Signatures
-
Processes:
AppLaunch.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" AppLaunch.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exeexplorer.exemvscavAP.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation mvscavAP.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 760 explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
explorer.exemvscavAP.exeSiaPort.exepid process 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exereg.exemvscavAP.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe" mvscavAP.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
explorer.exeSiaPort.exedescription pid process target process PID 760 set thread context of 4464 760 explorer.exe AppLaunch.exe PID 664 set thread context of 2436 664 SiaPort.exe AppLaunch.exe -
Drops file in Windows directory 3 IoCs
Processes:
AppLaunch.exeAppLaunch.exedescription ioc process File created C:\WINDOWS\ctfmon.exe AppLaunch.exe File opened for modification C:\WINDOWS\ctfmon.exe AppLaunch.exe File opened for modification C:\WINDOWS\ctfmon.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exemvscavAP.exeSiaPort.exepid process 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe 3520 mvscavAP.exe 664 SiaPort.exe 760 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exeexplorer.exemvscavAP.exeSiaPort.exedescription pid process Token: SeDebugPrivilege 116 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe Token: SeDebugPrivilege 760 explorer.exe Token: SeDebugPrivilege 3520 mvscavAP.exe Token: SeDebugPrivilege 664 SiaPort.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AppLaunch.exeAppLaunch.exepid process 4464 AppLaunch.exe 2436 AppLaunch.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exeexplorer.exemvscavAP.exeSiaPort.exeAppLaunch.exeAppLaunch.exedescription pid process target process PID 116 wrote to memory of 760 116 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe explorer.exe PID 116 wrote to memory of 760 116 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe explorer.exe PID 116 wrote to memory of 760 116 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe explorer.exe PID 760 wrote to memory of 4464 760 explorer.exe AppLaunch.exe PID 760 wrote to memory of 4464 760 explorer.exe AppLaunch.exe PID 760 wrote to memory of 4464 760 explorer.exe AppLaunch.exe PID 760 wrote to memory of 4464 760 explorer.exe AppLaunch.exe PID 760 wrote to memory of 4464 760 explorer.exe AppLaunch.exe PID 760 wrote to memory of 4464 760 explorer.exe AppLaunch.exe PID 760 wrote to memory of 4464 760 explorer.exe AppLaunch.exe PID 760 wrote to memory of 4464 760 explorer.exe AppLaunch.exe PID 760 wrote to memory of 3520 760 explorer.exe mvscavAP.exe PID 760 wrote to memory of 3520 760 explorer.exe mvscavAP.exe PID 760 wrote to memory of 3520 760 explorer.exe mvscavAP.exe PID 3520 wrote to memory of 664 3520 mvscavAP.exe SiaPort.exe PID 3520 wrote to memory of 664 3520 mvscavAP.exe SiaPort.exe PID 3520 wrote to memory of 664 3520 mvscavAP.exe SiaPort.exe PID 664 wrote to memory of 2436 664 SiaPort.exe AppLaunch.exe PID 664 wrote to memory of 2436 664 SiaPort.exe AppLaunch.exe PID 664 wrote to memory of 2436 664 SiaPort.exe AppLaunch.exe PID 664 wrote to memory of 2436 664 SiaPort.exe AppLaunch.exe PID 664 wrote to memory of 2436 664 SiaPort.exe AppLaunch.exe PID 664 wrote to memory of 2436 664 SiaPort.exe AppLaunch.exe PID 664 wrote to memory of 2436 664 SiaPort.exe AppLaunch.exe PID 664 wrote to memory of 2436 664 SiaPort.exe AppLaunch.exe PID 4464 wrote to memory of 1232 4464 AppLaunch.exe reg.exe PID 4464 wrote to memory of 1232 4464 AppLaunch.exe reg.exe PID 4464 wrote to memory of 1232 4464 AppLaunch.exe reg.exe PID 2436 wrote to memory of 2700 2436 AppLaunch.exe reg.exe PID 2436 wrote to memory of 2700 2436 AppLaunch.exe reg.exe PID 2436 wrote to memory of 2700 2436 AppLaunch.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- UAC bypass
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- UAC bypass
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f6⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
84B
MD5f12133d461ae93607418ef1c0d1ff5eb
SHA1ff555c4a7875ac2375a5ed2fa8b29982b1b2dc61
SHA256ed2685597be7038bd55083c086f9da96b9aec167241405baad6929474a1de5d1
SHA512498f51923dddfe79c96e2b0fbdd8f6deafa47a4f169d669952a22634c4693e6e760ca5beb234a25c870948f9a5de3b60bb13f79f40715ddf971ad5ac26021fcb
-
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exeFilesize
7KB
MD51e065c8186d7d23b9fad718e030ad963
SHA1ed1f41e4d34ed3321eb9dfbc6ac82b322de0c904
SHA25645c1f790d9b856ccc02aa6be9f1102734fd9df534f6cea3b905de0698caedfdb
SHA512feef86acf449371102d4bf7a3b6aa50ebafff01d4f23c9bf24f69e35faf92956f205d8c8ea082d615e62b680ed1038dfda6e4e099707be45c2b7bdf32bffbc23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
92KB
MD539701f5c18d18cd690f7ded4f1ea958e
SHA1982abd7a3c93c48536917a958fc97252f5e225e1
SHA256afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c
SHA512cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff
-
C:\WINDOWS\ctfmon.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-1-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/116-2-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/116-13-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/116-0-0x00000000747E2000-0x00000000747E3000-memory.dmpFilesize
4KB
-
memory/760-15-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/760-14-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/760-48-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/3520-36-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/3520-49-0x00000000747E0000-0x0000000074D91000-memory.dmpFilesize
5.7MB
-
memory/4464-23-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4464-21-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB