Analysis
-
max time kernel
143s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
a98e607e0fa5292beacdd048e437118a
-
SHA1
5da4f586b4209ab5f7d886d523c038bcd40ce3a2
-
SHA256
45367afad1ea1661bf615a790cd3938bc3650aba6bde77768829d178c01e0c62
-
SHA512
e4b49fe8b171f2f184c61fcb1e49f2625adc8656d63d80b29c5e3bedba996788ae5ef0d016f5c12764e528e73e94c8a75ee945798ff5626ba2d7963f7f9c6a1b
-
SSDEEP
24576:rQmXoVTzqRHZLPSCAogOvEGr8XSWvZqhVbvL1PQ6NMCDXsspHEhXU:Mm40tcI8hvZubvLBQ6NMCzpHME
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Beep.sys a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\Beep.sys a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 848 Server.exe 2196 Hacker.com.cn.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE Hacker.com.cn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies Hacker.com.cn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 Hacker.com.cn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 Hacker.com.cn.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe Server.exe File opened for modification C:\Windows\Hacker.com.cn.exe Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacker.com.cn.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Hacker.com.cn.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe Token: SeDebugPrivilege 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe Token: SeDebugPrivilege 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe Token: SeDebugPrivilege 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe Token: SeDebugPrivilege 848 Server.exe Token: SeDebugPrivilege 2196 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2196 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2856 wrote to memory of 848 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe 87 PID 2856 wrote to memory of 848 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe 87 PID 2856 wrote to memory of 848 2856 a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe 87 PID 2196 wrote to memory of 800 2196 Hacker.com.cn.exe 90 PID 2196 wrote to memory of 800 2196 Hacker.com.cn.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a98e607e0fa5292beacdd048e437118a_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
744KB
MD517e1f9b9b27972ebe09a44bf9a80e85b
SHA1cff72b7841f4d6ebaeaac2918720b81c9fd7e5ca
SHA256367ae74095e983b96d83b9e09298ade5ad6780f5634c161fff61d95bf4bbbc52
SHA51258c1e510f9e11ad1ce0fa39c2f18017d5dac38b9350d76e91c37f5ff84675797b4d85b1136a87320cebb87943f83b2d85129ba88d278ebe37de6fac435411e1a