Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 05:45
Static task
static1
Behavioral task
behavioral1
Sample
d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe
-
Size
252KB
-
MD5
d3ae29e3719d5fd68d31bf3c4d9eac30
-
SHA1
8739e0f1800b0a89c48e400bd36a705c39bf1c4d
-
SHA256
bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2
-
SHA512
db2cb32a5dd1fbb061e1755a48b1b9b1c35ba01a2405e5f26f5afb4f0ead8ccee3f001e6d8178e134ac65eb7b5b2eed064c978ef0fd72188805eefa8245130bf
-
SSDEEP
6144:Qkp72oN2xBsSc6HHLHEKrNhKb1prrTYJR/zMCZf:QkX+sgHLEKphKb1pnYb
Malware Config
Signatures
-
Detects PlugX payload 18 IoCs
resource yara_rule behavioral2/memory/1820-3-0x0000000003780000-0x00000000037AE000-memory.dmp family_plugx behavioral2/memory/1820-2-0x0000000003780000-0x00000000037AE000-memory.dmp family_plugx behavioral2/memory/452-5-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx behavioral2/memory/452-8-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx behavioral2/memory/452-21-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx behavioral2/memory/452-22-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx behavioral2/memory/452-23-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx behavioral2/memory/452-20-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx behavioral2/memory/452-9-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx behavioral2/memory/3784-25-0x0000000002580000-0x00000000025AE000-memory.dmp family_plugx behavioral2/memory/3784-30-0x0000000002580000-0x00000000025AE000-memory.dmp family_plugx behavioral2/memory/3784-29-0x0000000002580000-0x00000000025AE000-memory.dmp family_plugx behavioral2/memory/3784-27-0x0000000002580000-0x00000000025AE000-memory.dmp family_plugx behavioral2/memory/452-31-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx behavioral2/memory/452-32-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx behavioral2/memory/452-33-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx behavioral2/memory/3784-34-0x0000000002580000-0x00000000025AE000-memory.dmp family_plugx behavioral2/memory/452-41-0x0000000001490000-0x00000000014BE000-memory.dmp family_plugx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdoberDis = "C:\\Windows\\AdobeDis.exe" d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\MJ svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 42003700380045003600460034003300310035004500410030004300380036000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 452 svchost.exe 452 svchost.exe 452 svchost.exe 452 svchost.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 452 svchost.exe 452 svchost.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 452 svchost.exe 452 svchost.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 452 svchost.exe 452 svchost.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 452 svchost.exe 452 svchost.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 452 svchost.exe 452 svchost.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe 3784 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 452 svchost.exe 3784 msiexec.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe Token: SeTcbPrivilege 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe Token: SeDebugPrivilege 452 svchost.exe Token: SeTcbPrivilege 452 svchost.exe Token: SeDebugPrivilege 3784 msiexec.exe Token: SeTcbPrivilege 3784 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1820 wrote to memory of 452 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 87 PID 1820 wrote to memory of 452 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 87 PID 1820 wrote to memory of 452 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 87 PID 1820 wrote to memory of 452 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 87 PID 1820 wrote to memory of 452 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 87 PID 1820 wrote to memory of 452 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 87 PID 1820 wrote to memory of 452 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 87 PID 1820 wrote to memory of 452 1820 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 87 PID 452 wrote to memory of 3784 452 svchost.exe 95 PID 452 wrote to memory of 3784 452 svchost.exe 95 PID 452 wrote to memory of 3784 452 svchost.exe 95 PID 452 wrote to memory of 3784 452 svchost.exe 95 PID 452 wrote to memory of 3784 452 svchost.exe 95 PID 452 wrote to memory of 3784 452 svchost.exe 95 PID 452 wrote to memory of 3784 452 svchost.exe 95 PID 452 wrote to memory of 3784 452 svchost.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418610_1CWE7N9O9P5V6VACF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418610_1CWE7N9O9P5V6VACF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 673255
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D02271001CC7487FA799EA887ABEA10A Ref B: LON04EDGE0911 Ref C: 2024-09-08T05:46:01Z
date: Sun, 08 Sep 2024 05:46:00 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388105_129PTMAYKOFOO14GZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388105_129PTMAYKOFOO14GZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 754419
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0A646CE24DA646198B577A2B7C21A76C Ref B: LON04EDGE0911 Ref C: 2024-09-08T05:46:01Z
date: Sun, 08 Sep 2024 05:46:00 GMT
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:255.255.255.255:53Requestjepsen.r3u8.comIN A
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
Remote address:8.8.8.8:53Requestjepsen.r3u8.comIN AResponse
-
1.2kB 6.9kB 15 13
-
150.171.28.10:443https://tse1.mm.bing.net/th?id=OADD2.10239339388105_129PTMAYKOFOO14GZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http253.5kB 1.5MB 1088 1084
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418610_1CWE7N9O9P5V6VACF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388105_129PTMAYKOFOO14GZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
305 B 5
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
305 B 5
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
305 B 5
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
305 B 5
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
305 B 5
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
305 B 5
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
305 B 5
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-
61 B 134 B 1 1
DNS Request
jepsen.r3u8.com
-