Analysis
-
max time kernel
144s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2024 07:24
Static task
static1
Behavioral task
behavioral1
Sample
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe
-
Size
900KB
-
MD5
cc6962b007a8512fd286d0d50489e3f0
-
SHA1
326665ca3524b4b1afbf2ecb5c3096ff19e7de55
-
SHA256
deba095b9ba5ffd6ea866849da264d0197efbaf12acd27b900213354d0fa18ff
-
SHA512
4173a8311a6feeac481ecc8551252122f0fd04e1a9a7fb549d735078e5bf84a6e8e311f905c0e30f3eaef1eaf1bbd50eb05de3b623922f0a9859c9b99be1fa4d
-
SSDEEP
24576:ZotQUwXBNssktnYM441giJ22zPubfCMqtPQgqevcZGq2bl:OtQUgQPuOJtTtvcZVwl
Malware Config
Signatures
-
Expiro payload 36 IoCs
Processes:
resource yara_rule behavioral2/memory/2864-2-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-5-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-6-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-8-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-7-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-9-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-10-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-11-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-12-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-13-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-14-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-15-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-16-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-18-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-20-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-19-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-17-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-21-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-22-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-23-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-24-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-25-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-26-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-27-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/3676-34-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/3676-35-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/3676-36-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/3676-38-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/3676-39-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/3676-40-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/3676-43-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/3676-42-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/3676-44-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/3676-52-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-54-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 behavioral2/memory/2864-55-0x0000000000400000-0x00000000006A3000-memory.dmp family_expiro1 -
Executes dropped EXE 1 IoCs
Processes:
xoarc.exepid process 3676 xoarc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exexoarc.exeexplorer.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoarc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
xoarc.exepid process 3676 xoarc.exe 3676 xoarc.exe 3676 xoarc.exe 3676 xoarc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exedescription pid process Token: SeSecurityPrivilege 2864 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exexoarc.exedescription pid process target process PID 2864 wrote to memory of 3676 2864 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe xoarc.exe PID 2864 wrote to memory of 3676 2864 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe xoarc.exe PID 2864 wrote to memory of 3676 2864 cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe xoarc.exe PID 3676 wrote to memory of 2740 3676 xoarc.exe explorer.exe PID 3676 wrote to memory of 2740 3676 xoarc.exe explorer.exe PID 3676 wrote to memory of 2740 3676 xoarc.exe explorer.exe PID 3676 wrote to memory of 2740 3676 xoarc.exe explorer.exe PID 3676 wrote to memory of 2740 3676 xoarc.exe explorer.exe PID 3676 wrote to memory of 2740 3676 xoarc.exe explorer.exe PID 3676 wrote to memory of 2740 3676 xoarc.exe explorer.exe PID 3676 wrote to memory of 2740 3676 xoarc.exe explorer.exe PID 3676 wrote to memory of 2516 3676 xoarc.exe sihost.exe PID 3676 wrote to memory of 2516 3676 xoarc.exe sihost.exe PID 3676 wrote to memory of 2516 3676 xoarc.exe sihost.exe PID 3676 wrote to memory of 2516 3676 xoarc.exe sihost.exe PID 3676 wrote to memory of 2516 3676 xoarc.exe sihost.exe PID 3676 wrote to memory of 2600 3676 xoarc.exe svchost.exe PID 3676 wrote to memory of 2600 3676 xoarc.exe svchost.exe PID 3676 wrote to memory of 2600 3676 xoarc.exe svchost.exe PID 3676 wrote to memory of 2600 3676 xoarc.exe svchost.exe PID 3676 wrote to memory of 2600 3676 xoarc.exe svchost.exe PID 3676 wrote to memory of 2904 3676 xoarc.exe taskhostw.exe PID 3676 wrote to memory of 2904 3676 xoarc.exe taskhostw.exe PID 3676 wrote to memory of 2904 3676 xoarc.exe taskhostw.exe PID 3676 wrote to memory of 2904 3676 xoarc.exe taskhostw.exe PID 3676 wrote to memory of 2904 3676 xoarc.exe taskhostw.exe PID 3676 wrote to memory of 3420 3676 xoarc.exe Explorer.EXE PID 3676 wrote to memory of 3420 3676 xoarc.exe Explorer.EXE PID 3676 wrote to memory of 3420 3676 xoarc.exe Explorer.EXE PID 3676 wrote to memory of 3420 3676 xoarc.exe Explorer.EXE PID 3676 wrote to memory of 3420 3676 xoarc.exe Explorer.EXE PID 3676 wrote to memory of 3576 3676 xoarc.exe svchost.exe PID 3676 wrote to memory of 3576 3676 xoarc.exe svchost.exe PID 3676 wrote to memory of 3576 3676 xoarc.exe svchost.exe PID 3676 wrote to memory of 3576 3676 xoarc.exe svchost.exe PID 3676 wrote to memory of 3576 3676 xoarc.exe svchost.exe PID 3676 wrote to memory of 3752 3676 xoarc.exe DllHost.exe PID 3676 wrote to memory of 3752 3676 xoarc.exe DllHost.exe PID 3676 wrote to memory of 3752 3676 xoarc.exe DllHost.exe PID 3676 wrote to memory of 3752 3676 xoarc.exe DllHost.exe PID 3676 wrote to memory of 3752 3676 xoarc.exe DllHost.exe PID 3676 wrote to memory of 3844 3676 xoarc.exe StartMenuExperienceHost.exe PID 3676 wrote to memory of 3844 3676 xoarc.exe StartMenuExperienceHost.exe PID 3676 wrote to memory of 3844 3676 xoarc.exe StartMenuExperienceHost.exe PID 3676 wrote to memory of 3844 3676 xoarc.exe StartMenuExperienceHost.exe PID 3676 wrote to memory of 3844 3676 xoarc.exe StartMenuExperienceHost.exe PID 3676 wrote to memory of 3904 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 3904 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 3904 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 3904 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 3904 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 3996 3676 xoarc.exe SearchApp.exe PID 3676 wrote to memory of 3996 3676 xoarc.exe SearchApp.exe PID 3676 wrote to memory of 3996 3676 xoarc.exe SearchApp.exe PID 3676 wrote to memory of 3996 3676 xoarc.exe SearchApp.exe PID 3676 wrote to memory of 3996 3676 xoarc.exe SearchApp.exe PID 3676 wrote to memory of 2820 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 2820 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 2820 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 2820 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 2820 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 2128 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 2128 3676 xoarc.exe RuntimeBroker.exe PID 3676 wrote to memory of 2128 3676 xoarc.exe RuntimeBroker.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2600
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2904
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cc6962b007a8512fd286d0d50489e3f0_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Roaming\Vuocig\xoarc.exe"C:\Users\Admin\AppData\Roaming\Vuocig\xoarc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd948ccaa.bat"3⤵
- System Location Discovery: System Language Discovery
PID:3328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2128
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2084
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:712
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4732
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:220
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD59a001679c86fef555b96bae5aebef034
SHA1845a341dc644736b3eb82844e8366f4d9cf73eaa
SHA256f5916cf16de4f08067573ca5299c4e64c106bef81fd4cddb380705e1616884d1
SHA5129195c4112921efe681ae95bb02ff5611d23d47ac3145c55e8bc80861963f3a7d33e5bc9a40e7b1a7a68ca591c509cd15e0c1cc2b5db8668756c26c944b49ce00
-
Filesize
900KB
MD5e3dd74f06cf288452a1f0abbb59c344f
SHA108caf81691909c9cfce1cd92b99b70d5d3e48883
SHA2569f8743ad4df63d5be9a23c328edf1bb8e4ded1da16d0eec413fe94e7d5448ad3
SHA51209fa6d62ad52d777f16e0bb3e0faebce1b935543f43702a49b96b3b94dd3b8d152a349b9c0dbf9661ebcf4ee0262a9b3235114910a07f961fa49590de328a6d1