Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2024 13:02
Behavioral task
behavioral1
Sample
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe
-
Size
4.8MB
-
MD5
6ff1ca648505fe8bea6b4a26616b9722
-
SHA1
7020b4d9e700b697d507a61bffea12c9475a23d2
-
SHA256
7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365
-
SHA512
e65d67e22807e1a539997bd763fc6063226fce207c57b3b0316ef7640471f460016fa5f58feb006ff96dd7a2cf5bcff7c17f0af763e8518431fe13ce6d8c9db2
-
SSDEEP
98304:zDAjjvoF+Cp+/bbbbp7FO1gTL9M5gmoZHOoOVsHalI:zuvAObbbbp78+VwzV0alI
Malware Config
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2928-0-0x0000000000420000-0x00000000008F7000-memory.dmp family_avaddon behavioral2/memory/2928-2-0x0000000000420000-0x00000000008F7000-memory.dmp family_avaddon behavioral2/memory/2928-3-0x0000000000420000-0x00000000008F7000-memory.dmp family_avaddon behavioral2/memory/2928-1-0x0000000000420000-0x00000000008F7000-memory.dmp family_avaddon behavioral2/memory/2928-296-0x0000000000420000-0x00000000008F7000-memory.dmp family_avaddon behavioral2/memory/2928-387-0x0000000000420000-0x00000000008F7000-memory.dmp family_avaddon -
Processes:
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe -
Renames multiple (179) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/2928-0-0x0000000000420000-0x00000000008F7000-memory.dmp themida behavioral2/memory/2928-2-0x0000000000420000-0x00000000008F7000-memory.dmp themida behavioral2/memory/2928-3-0x0000000000420000-0x00000000008F7000-memory.dmp themida behavioral2/memory/2928-1-0x0000000000420000-0x00000000008F7000-memory.dmp themida behavioral2/memory/2928-296-0x0000000000420000-0x00000000008F7000-memory.dmp themida behavioral2/memory/2928-387-0x0000000000420000-0x00000000008F7000-memory.dmp themida -
Processes:
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exedescription ioc process File opened (read-only) \??\A: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\P: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\T: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\V: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\Z: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\W: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\X: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\F: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\B: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\E: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\G: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\M: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\O: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\U: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\J: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\L: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\Q: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\R: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\S: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\H: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\I: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\K: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\N: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe File opened (read-only) \??\Y: 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 api.myip.com 27 api.myip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exewmic.exewmic.exewmic.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exepid process 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 4552 wmic.exe Token: SeSecurityPrivilege 4552 wmic.exe Token: SeTakeOwnershipPrivilege 4552 wmic.exe Token: SeLoadDriverPrivilege 4552 wmic.exe Token: SeSystemProfilePrivilege 4552 wmic.exe Token: SeSystemtimePrivilege 4552 wmic.exe Token: SeProfSingleProcessPrivilege 4552 wmic.exe Token: SeIncBasePriorityPrivilege 4552 wmic.exe Token: SeCreatePagefilePrivilege 4552 wmic.exe Token: SeBackupPrivilege 4552 wmic.exe Token: SeRestorePrivilege 4552 wmic.exe Token: SeShutdownPrivilege 4552 wmic.exe Token: SeDebugPrivilege 4552 wmic.exe Token: SeSystemEnvironmentPrivilege 4552 wmic.exe Token: SeRemoteShutdownPrivilege 4552 wmic.exe Token: SeUndockPrivilege 4552 wmic.exe Token: SeManageVolumePrivilege 4552 wmic.exe Token: 33 4552 wmic.exe Token: 34 4552 wmic.exe Token: 35 4552 wmic.exe Token: 36 4552 wmic.exe Token: SeIncreaseQuotaPrivilege 3792 wmic.exe Token: SeSecurityPrivilege 3792 wmic.exe Token: SeTakeOwnershipPrivilege 3792 wmic.exe Token: SeLoadDriverPrivilege 3792 wmic.exe Token: SeSystemProfilePrivilege 3792 wmic.exe Token: SeSystemtimePrivilege 3792 wmic.exe Token: SeProfSingleProcessPrivilege 3792 wmic.exe Token: SeIncBasePriorityPrivilege 3792 wmic.exe Token: SeCreatePagefilePrivilege 3792 wmic.exe Token: SeBackupPrivilege 3792 wmic.exe Token: SeRestorePrivilege 3792 wmic.exe Token: SeShutdownPrivilege 3792 wmic.exe Token: SeDebugPrivilege 3792 wmic.exe Token: SeSystemEnvironmentPrivilege 3792 wmic.exe Token: SeRemoteShutdownPrivilege 3792 wmic.exe Token: SeUndockPrivilege 3792 wmic.exe Token: SeManageVolumePrivilege 3792 wmic.exe Token: 33 3792 wmic.exe Token: 34 3792 wmic.exe Token: 35 3792 wmic.exe Token: 36 3792 wmic.exe Token: SeIncreaseQuotaPrivilege 1484 wmic.exe Token: SeSecurityPrivilege 1484 wmic.exe Token: SeTakeOwnershipPrivilege 1484 wmic.exe Token: SeLoadDriverPrivilege 1484 wmic.exe Token: SeSystemProfilePrivilege 1484 wmic.exe Token: SeSystemtimePrivilege 1484 wmic.exe Token: SeProfSingleProcessPrivilege 1484 wmic.exe Token: SeIncBasePriorityPrivilege 1484 wmic.exe Token: SeCreatePagefilePrivilege 1484 wmic.exe Token: SeBackupPrivilege 1484 wmic.exe Token: SeRestorePrivilege 1484 wmic.exe Token: SeShutdownPrivilege 1484 wmic.exe Token: SeDebugPrivilege 1484 wmic.exe Token: SeSystemEnvironmentPrivilege 1484 wmic.exe Token: SeRemoteShutdownPrivilege 1484 wmic.exe Token: SeUndockPrivilege 1484 wmic.exe Token: SeManageVolumePrivilege 1484 wmic.exe Token: 33 1484 wmic.exe Token: 34 1484 wmic.exe Token: 35 1484 wmic.exe Token: 36 1484 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exedescription pid process target process PID 2928 wrote to memory of 4552 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe wmic.exe PID 2928 wrote to memory of 4552 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe wmic.exe PID 2928 wrote to memory of 4552 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe wmic.exe PID 2928 wrote to memory of 3792 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe wmic.exe PID 2928 wrote to memory of 3792 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe wmic.exe PID 2928 wrote to memory of 3792 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe wmic.exe PID 2928 wrote to memory of 1484 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe wmic.exe PID 2928 wrote to memory of 1484 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe wmic.exe PID 2928 wrote to memory of 1484 2928 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe"1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2928-0-0x0000000000420000-0x00000000008F7000-memory.dmpFilesize
4.8MB
-
memory/2928-2-0x0000000000420000-0x00000000008F7000-memory.dmpFilesize
4.8MB
-
memory/2928-3-0x0000000000420000-0x00000000008F7000-memory.dmpFilesize
4.8MB
-
memory/2928-1-0x0000000000420000-0x00000000008F7000-memory.dmpFilesize
4.8MB
-
memory/2928-296-0x0000000000420000-0x00000000008F7000-memory.dmpFilesize
4.8MB
-
memory/2928-387-0x0000000000420000-0x00000000008F7000-memory.dmpFilesize
4.8MB