810b9217e471be345a7f29c2ef531fab215b499a1a3901358163dc9ebb301c2b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 06:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe
Size

21KB
MD5

83657ab8e92c6af61bf0a8bac9e923c9
SHA1

54448b816360fcf03e99d2f16fbc84bf1158db15
SHA256

810b9217e471be345a7f29c2ef531fab215b499a1a3901358163dc9ebb301c2b
SHA512

111405764f688dfa9000857b7ac373cdd2343ae891aef3e4833d03544ea34e6d3573b02fc709399cad07f87d27f847dc4cc822e5281f68e07d9b0a3bf90f1e24
SSDEEP

384:rsOVL3GUoU+ssXbOnS5twtmWF0jvZSIhaQYIg:rDVyRssLtwCjRVaLH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3520	svost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svost.exe	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svost.exe	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
4948	taskkill.exe
4572	taskkill.exe
4844	taskkill.exe
628	taskkill.exe
2120	taskkill.exe
2216	taskkill.exe
4076	taskkill.exe
1132	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe
4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe
4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe
4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe
3520	svost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2996	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	83
PID 4668 wrote to memory of 2996	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	83
PID 4668 wrote to memory of 2996	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	83
PID 4668 wrote to memory of 4332	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	84
PID 4668 wrote to memory of 4332	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	84
PID 4668 wrote to memory of 4332	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	84
PID 4668 wrote to memory of 2368	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	85
PID 4668 wrote to memory of 2368	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	85
PID 4668 wrote to memory of 2368	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	85
PID 4668 wrote to memory of 1364	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	86
PID 4668 wrote to memory of 1364	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	86
PID 4668 wrote to memory of 1364	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	86
PID 3520 wrote to memory of 4132	3520	svost.exe	92
PID 3520 wrote to memory of 4132	3520	svost.exe	92
PID 3520 wrote to memory of 4132	3520	svost.exe	92
PID 3520 wrote to memory of 4240	3520	svost.exe	93
PID 3520 wrote to memory of 4240	3520	svost.exe	93
PID 3520 wrote to memory of 4240	3520	svost.exe	93
PID 3520 wrote to memory of 1680	3520	svost.exe	94
PID 3520 wrote to memory of 1680	3520	svost.exe	94
PID 3520 wrote to memory of 1680	3520	svost.exe	94
PID 3520 wrote to memory of 3508	3520	svost.exe	95
PID 3520 wrote to memory of 3508	3520	svost.exe	95
PID 3520 wrote to memory of 3508	3520	svost.exe	95
PID 4668 wrote to memory of 3632	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	96
PID 4668 wrote to memory of 3632	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	96
PID 4668 wrote to memory of 3632	4668	83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe	96
PID 2368 wrote to memory of 2216	2368	cmd.exe	102
PID 2368 wrote to memory of 2216	2368	cmd.exe	102
PID 2368 wrote to memory of 2216	2368	cmd.exe	102
PID 2996 wrote to memory of 4076	2996	cmd.exe	103
PID 2996 wrote to memory of 4076	2996	cmd.exe	103
PID 2996 wrote to memory of 4076	2996	cmd.exe	103
PID 1364 wrote to memory of 1132	1364	cmd.exe	104
PID 1364 wrote to memory of 1132	1364	cmd.exe	104
PID 1364 wrote to memory of 1132	1364	cmd.exe	104
PID 4332 wrote to memory of 4948	4332	cmd.exe	105
PID 4332 wrote to memory of 4948	4332	cmd.exe	105
PID 4332 wrote to memory of 4948	4332	cmd.exe	105
PID 1680 wrote to memory of 4572	1680	cmd.exe	106
PID 1680 wrote to memory of 4572	1680	cmd.exe	106
PID 1680 wrote to memory of 4572	1680	cmd.exe	106
PID 4240 wrote to memory of 4844	4240	cmd.exe	107
PID 4240 wrote to memory of 4844	4240	cmd.exe	107
PID 4240 wrote to memory of 4844	4240	cmd.exe	107
PID 3508 wrote to memory of 628	3508	cmd.exe	108
PID 3508 wrote to memory of 628	3508	cmd.exe	108
PID 3508 wrote to memory of 628	3508	cmd.exe	108
PID 4132 wrote to memory of 2120	4132	cmd.exe	109
PID 4132 wrote to memory of 2120	4132	cmd.exe	109
PID 4132 wrote to memory of 2120	4132	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\83657ab8e92c6af61bf0a8bac9e923c9_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\83657A~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632

C:\Windows\SysWOW64\svost.exe
C:\Windows\SysWOW64\svost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svost.exe

Filesize
21KB

MD5
83657ab8e92c6af61bf0a8bac9e923c9

SHA1
54448b816360fcf03e99d2f16fbc84bf1158db15

SHA256
810b9217e471be345a7f29c2ef531fab215b499a1a3901358163dc9ebb301c2b

SHA512
111405764f688dfa9000857b7ac373cdd2343ae891aef3e4833d03544ea34e6d3573b02fc709399cad07f87d27f847dc4cc822e5281f68e07d9b0a3bf90f1e24

Download Submit