Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
d10092a7d35556340446032e6df214f4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d10092a7d35556340446032e6df214f4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d10092a7d35556340446032e6df214f4_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
d10092a7d35556340446032e6df214f4
-
SHA1
f6ec8bb3ffa13577f0ed2c773d64072e3f714b26
-
SHA256
2a0c3710c154dc26dc8fee216ea6c079420819de0fc90b08a3e5a9c8810d8a7f
-
SHA512
212ed46bc9b7a56af1bb758fcc92423b74ea370f47e1dc5f2ecf37c8d6a5b97745bf8df0f331c06899d457014eac8ffcc2e14e1bcad859bbc45e744c1c0ab836
-
SSDEEP
24576:0MMSw3gK+vH1+FtObBQULfKDPtY0fO6FcrAalx9IouY/pYK:lZ1KHFtOaGEm0muUx9Jz
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rundll.exe = "\"C:\\Users\\Admin\\AppData\\Local\\rundll.exe \"" reg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation d10092a7d35556340446032e6df214f4_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation setup.exe -
Executes dropped EXE 2 IoCs
pid Process 4752 setup.exe 2808 rundll.exe -
Loads dropped DLL 4 IoCs
pid Process 2808 rundll.exe 2808 rundll.exe 2808 rundll.exe 2808 rundll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d10092a7d35556340446032e6df214f4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3952 reg.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 4752 setup.exe 2808 rundll.exe 2808 rundll.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4752 setup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2808 rundll.exe 2808 rundll.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 228 wrote to memory of 4752 228 d10092a7d35556340446032e6df214f4_JaffaCakes118.exe 86 PID 228 wrote to memory of 4752 228 d10092a7d35556340446032e6df214f4_JaffaCakes118.exe 86 PID 228 wrote to memory of 4752 228 d10092a7d35556340446032e6df214f4_JaffaCakes118.exe 86 PID 4752 wrote to memory of 2808 4752 setup.exe 87 PID 4752 wrote to memory of 2808 4752 setup.exe 87 PID 4752 wrote to memory of 2808 4752 setup.exe 87 PID 4752 wrote to memory of 1676 4752 setup.exe 88 PID 4752 wrote to memory of 1676 4752 setup.exe 88 PID 4752 wrote to memory of 1676 4752 setup.exe 88 PID 1676 wrote to memory of 5000 1676 cmd.exe 90 PID 1676 wrote to memory of 5000 1676 cmd.exe 90 PID 1676 wrote to memory of 5000 1676 cmd.exe 90 PID 5000 wrote to memory of 3952 5000 cmd.exe 91 PID 5000 wrote to memory of 3952 5000 cmd.exe 91 PID 5000 wrote to memory of 3952 5000 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d10092a7d35556340446032e6df214f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d10092a7d35556340446032e6df214f4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\rundll.exe"C:\Users\Admin\AppData\Local\rundll.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c syscheck.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f5⤵
- Adds policy Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3952
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
823KB
MD5eda62064589a56c4b4c6049e8df39fdc
SHA1f5b408d2630acacbb3bd360d82f72a793a9d94ff
SHA2564cd4cc2e9701aedd9052472fffee6c8ad6f6b476b6eba010392dfc6ef10b434d
SHA512570d9ef5af0636eef789a21b743f72324e1b043a497053c1e26f3ac6d5746f16ba6603e6ffc4e15a272730c14004bedd6c062696ae5f0b71624db9191f7fd736
-
Filesize
170B
MD5d53c75977954601b591dba8be2f53cd1
SHA15073b31394b4bb63af3d7ec0985d3a66d209abbe
SHA256789c15d1350284cf0270658c414fa4ed204473644675cb13f9e3981d89724090
SHA512baa379fc240cc3e26155eaf71fa61fad78ba781f00615055e5227ccaf81bcde74723231d20b157ed2a78bf354b617da5d9d21a0badb11eb1bb3a87a86cf40ca9
-
Filesize
285KB
MD5fe2232f82e4beb5ae483da8e699e1a51
SHA1ed2131d0f70e709f8791bfff64d2b8a4cb658ed5
SHA2560cb462094392aeb31dd7588d95de2577efd0987315be0ce84a531c26bee3b49e
SHA512df9ab5afb94cff850dd5c4b4ba0cfcd77d4a5887ac85a60db223eba8c5d1d64467d77c6133b8e1f5ca795deae3623717ff4cc669919d9f96ef6df193187fcc0b
-
Filesize
92KB
MD58a5e40eb6518353e5758e5b237897c78
SHA1dd452e565485f48c2131dadc40a32b0d3007cef6
SHA2565f8ba5c1522847452d92b507770bfb454548d8a02232040c6be4323792400d4f
SHA512c941b82c3bd6be61506ac9215ab8e26983a8654444703b5a0236739a3b50a498ed0c65054b68481c026123d88b0f0e9e36f92b0f0028b4cc034345ec17f3b268
-
Filesize
237KB
MD5cb3630301ffbc6db112f2a29510c834b
SHA1eb4b5df4e5192425113e40090c814f0852c7d4d5
SHA256cfeb2809a65d1ffa3bf40fc4463fa8c6db12ee0ac1964e3bd6099a1e1b9e9bc9
SHA5121134856c2549f9f6acda19914cfdd404551cb5fa169a059134afacd2d374ef14753fb9ab29f262e39dbd5c50e4f5151b5aa86d2998777159009660c94f0646c6