Analysis
-
max time kernel
135s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe
-
Size
386KB
-
MD5
9f255a5fd8e9cbb1e8c2b1c88d436665
-
SHA1
b1583d74bd8eba91a43de585e4c13fa142441efc
-
SHA256
25a7825a3bb8e1777dcaec1627d0030492091f053d77d660aa026a7e80b0ce0f
-
SHA512
fa77764dcffabf9ebd295ddb741de5de8c1d899f20943579eff8c0aab8d3f204a5835e993271b847335ee6188db5bc6e3504c1e9b3b5f5f0c8d6c7aead25e27a
-
SSDEEP
6144:uptmZ62NlgsWxhFkZpXIGWvDwYNSZZa2TjaFJ7eIbH661cdfFI6u:StmLb2hFko5NS3LTk7pvchu
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 3016 explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 3016 explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3632 9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe Token: SeDebugPrivilege 3016 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3632 wrote to memory of 3016 3632 9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe 84 PID 3632 wrote to memory of 3016 3632 9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe 84 PID 3016 wrote to memory of 2560 3016 explorer.exe 87 PID 3016 wrote to memory of 2560 3016 explorer.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9f255a5fd8e9cbb1e8c2b1c88d436665_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe3⤵PID:2560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD53a0c056fba2bbf42f9666d4fc3c900b3
SHA1e56d46d5969470e54228bcc9a6eb4c562aeec6a0
SHA256360c40d068ab4cda089db1fce7f4225bb915810b21bb9bf9e51b1beb49edfda5
SHA5128da0bac2aaea0f1a6ac4aebe9c252de96289d3f063a649df2ee774cbaeb961fa4163f0992f26fb620a1758d6d4bd88da20c90ee261f004c71e4a3b8e45f3e689
-
Filesize
386KB
MD59f255a5fd8e9cbb1e8c2b1c88d436665
SHA1b1583d74bd8eba91a43de585e4c13fa142441efc
SHA25625a7825a3bb8e1777dcaec1627d0030492091f053d77d660aa026a7e80b0ce0f
SHA512fa77764dcffabf9ebd295ddb741de5de8c1d899f20943579eff8c0aab8d3f204a5835e993271b847335ee6188db5bc6e3504c1e9b3b5f5f0c8d6c7aead25e27a