Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
823d7fc992e2b4b2e44cb30cfcf2ad58_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
823d7fc992e2b4b2e44cb30cfcf2ad58_JaffaCakes118.exe
-
Size
723KB
-
MD5
823d7fc992e2b4b2e44cb30cfcf2ad58
-
SHA1
eed36d85c374ceafc134a340f3f6dc2eafd35bef
-
SHA256
52706732fd76e71e25523dc927d7cd97c98a1e594de484ad68df9d9aeac200bf
-
SHA512
86fa7e82ac45d3d337b9c636750836c3bd696e8044bc4785ab32f2005d914b55839b1c2fc8ac9241f7fc2f7ccb603935e975e78224f341c27947b83e1cb0a4be
-
SSDEEP
12288:qcLzzgBT4KT0gnbfmfBYoxy831CzKZZZPsrd+XTR+xsk:vz04I0gjmfBYJ831XVsel+xsk
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run audioadg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe" audioadg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation 823d7fc992e2b4b2e44cb30cfcf2ad58_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation explorer.exe -
Deletes itself 1 IoCs
pid Process 2300 explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 2300 explorer.exe 2004 explorer.exe 3936 audioadg.exe 2592 Wmiprwsd.exe 4520 Wmiprwsd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe" audioadg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2300 set thread context of 2004 2300 explorer.exe 88 PID 2592 set thread context of 4520 2592 Wmiprwsd.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Wmiprwsd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 823d7fc992e2b4b2e44cb30cfcf2ad58_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audioadg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Wmiprwsd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2300 explorer.exe 3936 audioadg.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe 3936 audioadg.exe 2300 explorer.exe 2592 Wmiprwsd.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 3084 823d7fc992e2b4b2e44cb30cfcf2ad58_JaffaCakes118.exe Token: SeDebugPrivilege 2300 explorer.exe Token: SeIncreaseQuotaPrivilege 2004 explorer.exe Token: SeSecurityPrivilege 2004 explorer.exe Token: SeTakeOwnershipPrivilege 2004 explorer.exe Token: SeLoadDriverPrivilege 2004 explorer.exe Token: SeSystemProfilePrivilege 2004 explorer.exe Token: SeSystemtimePrivilege 2004 explorer.exe Token: SeProfSingleProcessPrivilege 2004 explorer.exe Token: SeIncBasePriorityPrivilege 2004 explorer.exe Token: SeCreatePagefilePrivilege 2004 explorer.exe Token: SeBackupPrivilege 2004 explorer.exe Token: SeRestorePrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: SeDebugPrivilege 2004 explorer.exe Token: SeSystemEnvironmentPrivilege 2004 explorer.exe Token: SeChangeNotifyPrivilege 2004 explorer.exe Token: SeRemoteShutdownPrivilege 2004 explorer.exe Token: SeUndockPrivilege 2004 explorer.exe Token: SeManageVolumePrivilege 2004 explorer.exe Token: SeImpersonatePrivilege 2004 explorer.exe Token: SeCreateGlobalPrivilege 2004 explorer.exe Token: 33 2004 explorer.exe Token: 34 2004 explorer.exe Token: 35 2004 explorer.exe Token: 36 2004 explorer.exe Token: SeDebugPrivilege 3936 audioadg.exe Token: SeDebugPrivilege 2592 Wmiprwsd.exe Token: SeIncreaseQuotaPrivilege 4520 Wmiprwsd.exe Token: SeSecurityPrivilege 4520 Wmiprwsd.exe Token: SeTakeOwnershipPrivilege 4520 Wmiprwsd.exe Token: SeLoadDriverPrivilege 4520 Wmiprwsd.exe Token: SeSystemProfilePrivilege 4520 Wmiprwsd.exe Token: SeSystemtimePrivilege 4520 Wmiprwsd.exe Token: SeProfSingleProcessPrivilege 4520 Wmiprwsd.exe Token: SeIncBasePriorityPrivilege 4520 Wmiprwsd.exe Token: SeCreatePagefilePrivilege 4520 Wmiprwsd.exe Token: SeBackupPrivilege 4520 Wmiprwsd.exe Token: SeRestorePrivilege 4520 Wmiprwsd.exe Token: SeShutdownPrivilege 4520 Wmiprwsd.exe Token: SeDebugPrivilege 4520 Wmiprwsd.exe Token: SeSystemEnvironmentPrivilege 4520 Wmiprwsd.exe Token: SeChangeNotifyPrivilege 4520 Wmiprwsd.exe Token: SeRemoteShutdownPrivilege 4520 Wmiprwsd.exe Token: SeUndockPrivilege 4520 Wmiprwsd.exe Token: SeManageVolumePrivilege 4520 Wmiprwsd.exe Token: SeImpersonatePrivilege 4520 Wmiprwsd.exe Token: SeCreateGlobalPrivilege 4520 Wmiprwsd.exe Token: 33 4520 Wmiprwsd.exe Token: 34 4520 Wmiprwsd.exe Token: 35 4520 Wmiprwsd.exe Token: 36 4520 Wmiprwsd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2004 explorer.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 3084 wrote to memory of 2300 3084 823d7fc992e2b4b2e44cb30cfcf2ad58_JaffaCakes118.exe 87 PID 3084 wrote to memory of 2300 3084 823d7fc992e2b4b2e44cb30cfcf2ad58_JaffaCakes118.exe 87 PID 3084 wrote to memory of 2300 3084 823d7fc992e2b4b2e44cb30cfcf2ad58_JaffaCakes118.exe 87 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 2004 2300 explorer.exe 88 PID 2300 wrote to memory of 3936 2300 explorer.exe 90 PID 2300 wrote to memory of 3936 2300 explorer.exe 90 PID 2300 wrote to memory of 3936 2300 explorer.exe 90 PID 3936 wrote to memory of 2592 3936 audioadg.exe 92 PID 3936 wrote to memory of 2592 3936 audioadg.exe 92 PID 3936 wrote to memory of 2592 3936 audioadg.exe 92 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93 PID 2592 wrote to memory of 4520 2592 Wmiprwsd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\823d7fc992e2b4b2e44cb30cfcf2ad58_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\823d7fc992e2b4b2e44cb30cfcf2ad58_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\Documents\explorer.exe"C:\Users\Admin\Documents\explorer.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\Documents\explorer.exeC:\Users\Admin\Documents\explorer.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe"C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exeC:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exeC:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86B
MD595cd4a484ea54e7de409e8a834ae9462
SHA1e2a76bdf9ae2c9dd3d35efc91972420964608e15
SHA256a23f9c82854a7b7201baad22ed5b5d93f27d7af58422b809cbbb715fcd362802
SHA512c1c277a8a6c8a0789e88c4251ef4aabdbca8ca84726cb49f783f37144b2a97cbc847d38da348d1036aa993268b91f21a7bc70cd5266b32aea845500792f081da
-
Filesize
8KB
MD56ac73d462625d27d9f0f599ca1190dea
SHA1746cbcaf898421e361baa72ac5400d6e5d6ef732
SHA256fa35e4d655c8d1eefd9d4bacab0f6d932bd061e23c49503af747161248307f0c
SHA5125789644e331955e2363fd45e45a49bb4266b01ab772d503a8324e4d126ddb2e244297462030a4c63c0088551ef6cac94fa460e4f7ce9f844757afdca4a5d4601
-
Filesize
723KB
MD5823d7fc992e2b4b2e44cb30cfcf2ad58
SHA1eed36d85c374ceafc134a340f3f6dc2eafd35bef
SHA25652706732fd76e71e25523dc927d7cd97c98a1e594de484ad68df9d9aeac200bf
SHA51286fa7e82ac45d3d337b9c636750836c3bd696e8044bc4785ab32f2005d914b55839b1c2fc8ac9241f7fc2f7ccb603935e975e78224f341c27947b83e1cb0a4be