Analysis
-
max time kernel
137s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 23:04
Static task
static1
Behavioral task
behavioral1
Sample
719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
719d9a015f8958725db107d6f2d39e08
-
SHA1
17f1006dea5792bbcf53469319ddb310db7c901c
-
SHA256
97bfac611364f2053d75f131c489f57505972cf975162506b6988212700c656c
-
SHA512
6599c63cb9318b07cf51322281e3a05e26444565c2d69af13b5381aa0e3593d94d2249b2e91976c40b9f11b55a3eccb2e156f5e06565bb899d22d5658ec0611f
-
SSDEEP
24576:KZT1KgQju7Y7omjLwJ+l4vG1mmejfDk52XjT:WKiCLwJ+l4vG1mmejfg52XjT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
drvhosty3.exesyshost.exepid process 884 drvhosty3.exe 952 syshost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Driver Component = "\"C:\\Windows\\system32\\drvhosty3.exe\"" 719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
Processes:
719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drvhosty3.exe 719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe File created C:\Windows\SysWOW64\drvhosty3.exe 719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
drvhosty3.exedescription pid process target process PID 884 set thread context of 952 884 drvhosty3.exe syshost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3632 952 WerFault.exe syshost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exedrvhosty3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drvhosty3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exedrvhosty3.exedescription pid process Token: SeDebugPrivilege 3448 719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe Token: SeDebugPrivilege 884 drvhosty3.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exedrvhosty3.exedescription pid process target process PID 3448 wrote to memory of 884 3448 719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe drvhosty3.exe PID 3448 wrote to memory of 884 3448 719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe drvhosty3.exe PID 3448 wrote to memory of 884 3448 719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe drvhosty3.exe PID 884 wrote to memory of 952 884 drvhosty3.exe syshost.exe PID 884 wrote to memory of 952 884 drvhosty3.exe syshost.exe PID 884 wrote to memory of 952 884 drvhosty3.exe syshost.exe PID 884 wrote to memory of 952 884 drvhosty3.exe syshost.exe PID 884 wrote to memory of 952 884 drvhosty3.exe syshost.exe PID 884 wrote to memory of 952 884 drvhosty3.exe syshost.exe PID 884 wrote to memory of 952 884 drvhosty3.exe syshost.exe PID 884 wrote to memory of 952 884 drvhosty3.exe syshost.exe PID 884 wrote to memory of 952 884 drvhosty3.exe syshost.exe PID 884 wrote to memory of 952 884 drvhosty3.exe syshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\719d9a015f8958725db107d6f2d39e08_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\drvhosty3.exe"C:\Windows\system32\drvhosty3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\syshost.exeC:\ProgramData\syshost.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 9521⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\syshost.exeFilesize
6KB
MD536c689700adbb227867e409938607270
SHA16123e236f73faa37600a60107a5b167980b83a61
SHA256a2158014ecd471868954d0e97397f9df43e310c48d56fa0b5a6ef908dc654adf
SHA512c75728ed30135032a6755e33b9034b98c871554c33a4b8ba1586e0b3282dbc65e3b61571d407365b24289dae2de56b514ef0db744f85e6648dc6432a33b85fef
-
C:\Windows\SysWOW64\drvhosty3.exeFilesize
1.4MB
MD5719d9a015f8958725db107d6f2d39e08
SHA117f1006dea5792bbcf53469319ddb310db7c901c
SHA25697bfac611364f2053d75f131c489f57505972cf975162506b6988212700c656c
SHA5126599c63cb9318b07cf51322281e3a05e26444565c2d69af13b5381aa0e3593d94d2249b2e91976c40b9f11b55a3eccb2e156f5e06565bb899d22d5658ec0611f
-
memory/884-23-0x0000000075550000-0x0000000075B01000-memory.dmpFilesize
5.7MB
-
memory/884-24-0x0000000075550000-0x0000000075B01000-memory.dmpFilesize
5.7MB
-
memory/3448-0-0x0000000075552000-0x0000000075553000-memory.dmpFilesize
4KB
-
memory/3448-1-0x0000000075550000-0x0000000075B01000-memory.dmpFilesize
5.7MB
-
memory/3448-2-0x0000000075550000-0x0000000075B01000-memory.dmpFilesize
5.7MB
-
memory/3448-17-0x0000000075550000-0x0000000075B01000-memory.dmpFilesize
5.7MB