Analysis
-
max time kernel
133s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 04:32
Behavioral task
behavioral1
Sample
b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe
-
Size
22KB
-
MD5
b65a76fd42efc7f36732615706b3b4f8
-
SHA1
e09918f51e18329003a99f158daeae42d37a40d7
-
SHA256
c6c491d1e94107c1019008e9862ed1f5d860488dd3b217938383cfe27c66104c
-
SHA512
7b74be37b4529ec2646217205402ccd11c459e4ae5e4707d527e96a2a8a6876b004100a5415c6c053059630e8f60ff4251b41020aa0a56930fba620850a9e844
-
SSDEEP
384:9YktYUvegZT1FurcYmkSQRbGyHYF5pJJ0llqy4txdGdeUXqOkiz:qktYkDZTq4oSQRbGgYLpfSq3kAZZu
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023481-5.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/4976-0-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4976-8-0x0000000010000000-0x0000000010010000-memory.dmp upx behavioral2/files/0x0007000000023481-5.dat upx behavioral2/memory/4976-12-0x0000000010000000-0x0000000010010000-memory.dmp upx behavioral2/memory/4976-11-0x0000000000400000-0x0000000000409000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\A1A6BC2E.dll b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\fOnts\JNwybEjgUVaxBU5d.Ttf b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32\ThreadingModel = "Apartment" b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8} b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32\ = "C:\\Windows\\SysWow64\\A1A6BC2E.dll" b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe Token: SeDebugPrivilege 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4976 wrote to memory of 440 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe 90 PID 4976 wrote to memory of 440 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe 90 PID 4976 wrote to memory of 440 4976 b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b65a76fd42efc7f36732615706b3b4f8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B65A76~1.EXE >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215KB
MD52263fb4e09c06ddf4af1f2e6e6eea6ae
SHA13074a2bfcca0a5dcf51c50521e7ed532ac8bb107
SHA2563001d283c905dd498f58f7a74a11cc4fc0331fb4de1e9fb0e6e80328abce43e4
SHA5127218a02a0644f4aa673692c6f00cc066f199a375c1908cb159280f2350bc039b78eecf32b36f63627bd026e361f43b6f26ad7cd46886e698ddd63c540bc174c1