Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 16:42
Static task
static1
Behavioral task
behavioral1
Sample
53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
-
Size
340KB
-
MD5
53dd759d56240beba49d6318b4e53197
-
SHA1
25f4afea4e8babc6d7774fcf08b48f3917f05ae8
-
SHA256
7904257af820db24fcf0cba9fe6cd156eecd2a99c4b837f5807660d2c13b5fb0
-
SHA512
61c4e0b2348317efa48905e6918040775269022d052af5f805a45670710fa1259606011e08b434ffe4ebdea58dc95b6a053f2af9d0539f4e119cd5bbca5924d2
-
SSDEEP
6144:AyGXQhW1B4rVph3k4cSbgzs/rEpyrVRRelKHAK3g3UHYTvLRUQSOObAIAjgItE6a:PzGnvpDOB+jggTBtAyhKuD
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
audiodgi.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run audiodgi.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe" audiodgi.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
53dd759d56240beba49d6318b4e53197_JaffaCakes118.exesvchost.exeaudiodgi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation 53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation audiodgi.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3640 svchost.exe -
Executes dropped EXE 5 IoCs
Processes:
svchost.exesvchost.exeaudiodgi.exewmpmetwk.exewmpmetwk.exepid process 3640 svchost.exe 1116 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 864 wmpmetwk.exe -
Processes:
resource yara_rule behavioral2/memory/1116-27-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/1116-28-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/1116-26-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/1116-23-0x0000000000400000-0x0000000000471000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
audiodgi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe" audiodgi.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
svchost.exewmpmetwk.exedescription pid process target process PID 3640 set thread context of 1116 3640 svchost.exe svchost.exe PID 4592 set thread context of 864 4592 wmpmetwk.exe wmpmetwk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5048 864 WerFault.exe wmpmetwk.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 1004 reg.exe 544 reg.exe 2100 reg.exe 3108 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exeaudiodgi.exewmpmetwk.exepid process 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe 4600 audiodgi.exe 4592 wmpmetwk.exe 3640 svchost.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
53dd759d56240beba49d6318b4e53197_JaffaCakes118.exesvchost.exesvchost.exeaudiodgi.exewmpmetwk.exedescription pid process Token: SeDebugPrivilege 1556 53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe Token: SeDebugPrivilege 3640 svchost.exe Token: 1 1116 svchost.exe Token: SeCreateTokenPrivilege 1116 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1116 svchost.exe Token: SeLockMemoryPrivilege 1116 svchost.exe Token: SeIncreaseQuotaPrivilege 1116 svchost.exe Token: SeMachineAccountPrivilege 1116 svchost.exe Token: SeTcbPrivilege 1116 svchost.exe Token: SeSecurityPrivilege 1116 svchost.exe Token: SeTakeOwnershipPrivilege 1116 svchost.exe Token: SeLoadDriverPrivilege 1116 svchost.exe Token: SeSystemProfilePrivilege 1116 svchost.exe Token: SeSystemtimePrivilege 1116 svchost.exe Token: SeProfSingleProcessPrivilege 1116 svchost.exe Token: SeIncBasePriorityPrivilege 1116 svchost.exe Token: SeCreatePagefilePrivilege 1116 svchost.exe Token: SeCreatePermanentPrivilege 1116 svchost.exe Token: SeBackupPrivilege 1116 svchost.exe Token: SeRestorePrivilege 1116 svchost.exe Token: SeShutdownPrivilege 1116 svchost.exe Token: SeDebugPrivilege 1116 svchost.exe Token: SeAuditPrivilege 1116 svchost.exe Token: SeSystemEnvironmentPrivilege 1116 svchost.exe Token: SeChangeNotifyPrivilege 1116 svchost.exe Token: SeRemoteShutdownPrivilege 1116 svchost.exe Token: SeUndockPrivilege 1116 svchost.exe Token: SeSyncAgentPrivilege 1116 svchost.exe Token: SeEnableDelegationPrivilege 1116 svchost.exe Token: SeManageVolumePrivilege 1116 svchost.exe Token: SeImpersonatePrivilege 1116 svchost.exe Token: SeCreateGlobalPrivilege 1116 svchost.exe Token: 31 1116 svchost.exe Token: 32 1116 svchost.exe Token: 33 1116 svchost.exe Token: 34 1116 svchost.exe Token: 35 1116 svchost.exe Token: SeDebugPrivilege 4600 audiodgi.exe Token: SeDebugPrivilege 4592 wmpmetwk.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
svchost.exepid process 1116 svchost.exe 1116 svchost.exe 1116 svchost.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
53dd759d56240beba49d6318b4e53197_JaffaCakes118.exesvchost.exesvchost.execmd.execmd.execmd.execmd.exeaudiodgi.exewmpmetwk.exedescription pid process target process PID 1556 wrote to memory of 3640 1556 53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe svchost.exe PID 1556 wrote to memory of 3640 1556 53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe svchost.exe PID 1556 wrote to memory of 3640 1556 53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe svchost.exe PID 3640 wrote to memory of 1116 3640 svchost.exe svchost.exe PID 3640 wrote to memory of 1116 3640 svchost.exe svchost.exe PID 3640 wrote to memory of 1116 3640 svchost.exe svchost.exe PID 3640 wrote to memory of 1116 3640 svchost.exe svchost.exe PID 3640 wrote to memory of 1116 3640 svchost.exe svchost.exe PID 3640 wrote to memory of 1116 3640 svchost.exe svchost.exe PID 3640 wrote to memory of 1116 3640 svchost.exe svchost.exe PID 3640 wrote to memory of 1116 3640 svchost.exe svchost.exe PID 1116 wrote to memory of 1404 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 1404 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 1404 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 5080 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 5080 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 5080 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 3696 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 3696 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 3696 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 1304 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 1304 1116 svchost.exe cmd.exe PID 1116 wrote to memory of 1304 1116 svchost.exe cmd.exe PID 1404 wrote to memory of 2100 1404 cmd.exe reg.exe PID 1404 wrote to memory of 2100 1404 cmd.exe reg.exe PID 1404 wrote to memory of 2100 1404 cmd.exe reg.exe PID 3696 wrote to memory of 3108 3696 cmd.exe reg.exe PID 3696 wrote to memory of 3108 3696 cmd.exe reg.exe PID 3696 wrote to memory of 3108 3696 cmd.exe reg.exe PID 1304 wrote to memory of 544 1304 cmd.exe reg.exe PID 1304 wrote to memory of 544 1304 cmd.exe reg.exe PID 1304 wrote to memory of 544 1304 cmd.exe reg.exe PID 5080 wrote to memory of 1004 5080 cmd.exe reg.exe PID 5080 wrote to memory of 1004 5080 cmd.exe reg.exe PID 5080 wrote to memory of 1004 5080 cmd.exe reg.exe PID 3640 wrote to memory of 4600 3640 svchost.exe audiodgi.exe PID 3640 wrote to memory of 4600 3640 svchost.exe audiodgi.exe PID 3640 wrote to memory of 4600 3640 svchost.exe audiodgi.exe PID 4600 wrote to memory of 4592 4600 audiodgi.exe wmpmetwk.exe PID 4600 wrote to memory of 4592 4600 audiodgi.exe wmpmetwk.exe PID 4600 wrote to memory of 4592 4600 audiodgi.exe wmpmetwk.exe PID 4592 wrote to memory of 864 4592 wmpmetwk.exe wmpmetwk.exe PID 4592 wrote to memory of 864 4592 wmpmetwk.exe wmpmetwk.exe PID 4592 wrote to memory of 864 4592 wmpmetwk.exe wmpmetwk.exe PID 4592 wrote to memory of 864 4592 wmpmetwk.exe wmpmetwk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"3⤵
- Adds policy Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeC:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 806⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 864 -ip 8641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
87B
MD5e9c70a8ab240fb4e8164d67c7c24be2f
SHA1ca12502f573c41b3c5ae53cded52d3e2cf93733e
SHA256a0fa0d7ec90c910403f23b411361e9966d1ef081ea65194d0a723d4308a1e570
SHA512eae6ff76e057dbaeb60882131d2593fa34a28c3a1787f5a002e572ca8067efa706e2e735b8661e61f88b742a71d7f724c7736410297c2bb9b7ad50075f1f22dd
-
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exeFilesize
7KB
MD56d283be2823b28d65301591c318cb91d
SHA1eab65bfa634225d303a96d67f61223011f0c88ed
SHA256ed40f7d336c87960d7e9ef7b70532f1636b160e7b30685b366eb503d59dbef57
SHA5129eaa4369f653d98c04d3f192348be0dde5928cca693cf9c2bde190a0220c4b3c840126ac185a3a2a4b92cbaf74089c468919c861377deb34b842b5c233411abe
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
340KB
MD553dd759d56240beba49d6318b4e53197
SHA125f4afea4e8babc6d7774fcf08b48f3917f05ae8
SHA2567904257af820db24fcf0cba9fe6cd156eecd2a99c4b837f5807660d2c13b5fb0
SHA51261c4e0b2348317efa48905e6918040775269022d052af5f805a45670710fa1259606011e08b434ffe4ebdea58dc95b6a053f2af9d0539f4e119cd5bbca5924d2
-
memory/1116-27-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1116-28-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1116-26-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1116-23-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1556-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmpFilesize
4KB
-
memory/1556-18-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/1556-2-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/1556-1-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/3640-17-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/3640-21-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/3640-38-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB