Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 00:01
Static task
static1
Behavioral task
behavioral1
Sample
555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe
-
Size
168KB
-
MD5
555d3202e43afce04239e9c03eef07c9
-
SHA1
36934ac3982e7ff1d42fdf3287892af12cf58304
-
SHA256
b4936100106c42df1c621d5316cb93151c873dd6930c1552d1ed884b7dc45fdb
-
SHA512
5bf89fd827c330d2b52cee071afa97652837a06cf27feab4a7e66619d5fd32bcc20d3e6354c6aec8c882b01f4c401ce81c55be2d95626a366aa82865cb58390d
-
SSDEEP
3072:DpcJKeEeYE/NaX3K+QT5S+SEyt0jdJkwCJC2XZZ+38zw0x:SJVEe3DnT5lTygkwCJCqZZ+YwC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exeexplorer.exeadiadg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation adiadg.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 2564 explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
explorer.exeadiadg.exewmiapsvrd.exepid process 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
adiadg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\adiadg.exe" adiadg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exeadiadg.exewmiapsvrd.exepid process 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe 3528 adiadg.exe 4520 wmiapsvrd.exe 2564 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exeexplorer.exeadiadg.exewmiapsvrd.exedescription pid process Token: SeDebugPrivilege 5096 555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe Token: SeDebugPrivilege 2564 explorer.exe Token: SeDebugPrivilege 3528 adiadg.exe Token: SeDebugPrivilege 4520 wmiapsvrd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exeexplorer.exeadiadg.exedescription pid process target process PID 5096 wrote to memory of 2564 5096 555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe explorer.exe PID 5096 wrote to memory of 2564 5096 555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe explorer.exe PID 5096 wrote to memory of 2564 5096 555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe explorer.exe PID 2564 wrote to memory of 3528 2564 explorer.exe adiadg.exe PID 2564 wrote to memory of 3528 2564 explorer.exe adiadg.exe PID 2564 wrote to memory of 3528 2564 explorer.exe adiadg.exe PID 3528 wrote to memory of 4520 3528 adiadg.exe wmiapsvrd.exe PID 3528 wrote to memory of 4520 3528 adiadg.exe wmiapsvrd.exe PID 3528 wrote to memory of 4520 3528 adiadg.exe wmiapsvrd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\555d3202e43afce04239e9c03eef07c9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\System\adiadg.exe"C:\Users\Admin\AppData\Local\Temp\System\adiadg.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe"C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD560127e21ef3560d27e40b893627cd982
SHA137cbe26c435d9860711d2cbb55f87766aa6c1041
SHA25680f27c853dcc612f36b7ea94259c0f3c733addfe17b268df544396b5dc7160bb
SHA512189d2ff98f6cd73074ac673f0ce64ddb730475a0f3bab63f46a84c336b7d861b21e35b2ee9ba53ccbbfb6e7f7fa0e61611c771e67fd101edbc76750c061948b2
-
Filesize
19KB
MD57557176df708545d6e3bcfe8163b9fac
SHA1b0611f219736022ded02c0281a40874568c64ebe
SHA256179b309599d34b6fe68022867e145682eabe751cd0df6930b1ca79e3e48d549e
SHA5120c405f76c0b2795956e87aff4e4ed5d6addea872cf87098ca8ed892da9cf03e27932f1b3765e191c5b87b6970159dd6dc1498ee02533a454fd3b6faf889b5857
-
Filesize
168KB
MD5555d3202e43afce04239e9c03eef07c9
SHA136934ac3982e7ff1d42fdf3287892af12cf58304
SHA256b4936100106c42df1c621d5316cb93151c873dd6930c1552d1ed884b7dc45fdb
SHA5125bf89fd827c330d2b52cee071afa97652837a06cf27feab4a7e66619d5fd32bcc20d3e6354c6aec8c882b01f4c401ce81c55be2d95626a366aa82865cb58390d