Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 22:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8207a2d48651c610671973987148916e_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
8207a2d48651c610671973987148916e_JaffaCakes118.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
8207a2d48651c610671973987148916e_JaffaCakes118.exe
-
Size
101KB
-
MD5
8207a2d48651c610671973987148916e
-
SHA1
da6f837204486a5ab7b57588b1fe5611d2945613
-
SHA256
c8958f37264cb76cdce7948dc673d7d8a677ce2d002bd023a30f6613fe53dfa9
-
SHA512
18a88f604410af92d43e6175278c2eb4bd83d680e5aae5eaa2d4406e0dbd7266ccd89aa339120be411507b603b18d744b8d62b39adf1d29f794ce31522f551e3
-
SSDEEP
1536:D1uM3g3u1CEVEdBQg311Fu0DAq/BfBNM1c5ALltMuJcG5kXOezNoRIQxwaheVPiK:xu73ujE3511sotrKLMuv2zyIMwmeVaK
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\PCIDump.sys DS_Server.exe File opened for modification C:\Windows\SysWOW64\drivers\PCIDump.sys serverqb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation 8207a2d48651c610671973987148916e_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 4928 130.exe 1100 DS_Server.exe 4956 serverqb.exe -
resource yara_rule behavioral2/files/0x000a000000023488-5.dat upx behavioral2/memory/4928-12-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/files/0x00080000000234dd-17.dat upx behavioral2/memory/1100-24-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1100-37-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4928-39-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/4928-40-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/4928-41-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/4928-45-0x0000000000400000-0x000000000048D000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\serverqb.exe DS_Server.exe File opened for modification C:\Windows\SysWOW64\serverqb.exe DS_Server.exe File created C:\Windows\SysWOW64\serverqb.exe serverqb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8207a2d48651c610671973987148916e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 130.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DS_Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language serverqb.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1100 DS_Server.exe Token: SeIncBasePriorityPrivilege 4956 serverqb.exe Token: 33 2544 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2544 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe 4928 130.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4928 130.exe 4928 130.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 676 wrote to memory of 4928 676 8207a2d48651c610671973987148916e_JaffaCakes118.exe 85 PID 676 wrote to memory of 4928 676 8207a2d48651c610671973987148916e_JaffaCakes118.exe 85 PID 676 wrote to memory of 4928 676 8207a2d48651c610671973987148916e_JaffaCakes118.exe 85 PID 676 wrote to memory of 1100 676 8207a2d48651c610671973987148916e_JaffaCakes118.exe 88 PID 676 wrote to memory of 1100 676 8207a2d48651c610671973987148916e_JaffaCakes118.exe 88 PID 676 wrote to memory of 1100 676 8207a2d48651c610671973987148916e_JaffaCakes118.exe 88 PID 1100 wrote to memory of 4956 1100 DS_Server.exe 89 PID 1100 wrote to memory of 4956 1100 DS_Server.exe 89 PID 1100 wrote to memory of 4956 1100 DS_Server.exe 89 PID 1100 wrote to memory of 2928 1100 DS_Server.exe 90 PID 1100 wrote to memory of 2928 1100 DS_Server.exe 90 PID 1100 wrote to memory of 2928 1100 DS_Server.exe 90 PID 4956 wrote to memory of 216 4956 serverqb.exe 91 PID 4956 wrote to memory of 216 4956 serverqb.exe 91 PID 4956 wrote to memory of 216 4956 serverqb.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\8207a2d48651c610671973987148916e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8207a2d48651c610671973987148916e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\130.exe"C:\Users\Admin\AppData\Local\Temp\130.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4928
-
-
C:\Users\Admin\AppData\Local\Temp\DS_Server.exe"C:\Users\Admin\AppData\Local\Temp\DS_Server.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\serverqb.exe"C:\Windows\system32\serverqb.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\serverqb.exe > nul4⤵
- System Location Discovery: System Language Discovery
PID:216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\DS_SER~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x484 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5af68307cfdfb77c33404118fbde36e37
SHA1f7a9a3204286848ac06a4a40b75cefd747eebb82
SHA2566ebca32fb010d4d51de075bade679295ad39f29100a2c5bcd79cfdd09793a1a4
SHA512611df2e9b563a36d7d02544e9b71c5afbb81cb9b98714a77747467fde8a63feabaacbc308871fac1c5aa1fea871711cb5af33b5d7eabe92009896ce39dac0ddf
-
Filesize
17KB
MD52642506650ac5ada29e46e24e6bb3d2d
SHA1d922ac0148a343ffe6d20910f3f049a97da13900
SHA25690677d892b05e80f6eddfc6cca1cae2b6a069c00008229942b0020e06b56df2f
SHA5127ce91d07a53e028acbcbe4259fde8c4958833a9ae5610eaca7c05c65253a5eb0a931a3e3352d966ba9a9bdc59f7f3566a6c992a4abd4a9b727f79261fb9a1a30
-
Filesize
4KB
MD5d058dd1757e857d2cf1afcadce95a521
SHA13d5563ce8e7a11110d238b25711a176a63bfb703
SHA256a0cd51ff93d087654b5ceccc279df8eb5e9783a530a3bca83a06c7f82025885d
SHA512748937d6ae01ddbe97470754b73563c04e492d7980a8e0bbb9ed7838e85c8cff912d087204325664c3051aeba15606d23b9b507b211a6369e7ecc7bda175da44