Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 19:40
Static task
static1
Behavioral task
behavioral1
Sample
d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
-
Size
478KB
-
MD5
d6f9fd8a8720a51076be8f7b25278d4b
-
SHA1
1ca7cce3fad42b219702975306f3d8e6d62cf6e6
-
SHA256
805d22047aa58968b27b172380eef58877f5b96177d21c77e3dd16fe891bce0b
-
SHA512
0c973ce58e4aa0645f6b5f193e91e5e356a3956e08f054a08b44b41759bc383c3c60f9c0f5bc3db2225fd9a3097e945fc88e6c1e42c12cc0b31612219a5b69aa
-
SSDEEP
12288:e9jBgFYsPt4Hp9ujwkSBv7Gz5dbMi8nPgOz6JQrrWM7vFnifpGZ1X3WAr+ybzxw4:erg7t4Hp9ujwkSBv7Gz5dbMi8nPgOz6Q
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\taskmgr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation audiodgi.exe -
Deletes itself 1 IoCs
pid Process 4008 svchost.exe -
Executes dropped EXE 5 IoCs
pid Process 4008 svchost.exe 4088 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 2712 wmpmetwk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe" audiodgi.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4008 set thread context of 4088 4008 svchost.exe 88 PID 4224 set thread context of 2712 4224 wmpmetwk.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpmetwk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiodgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpmetwk.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2036 reg.exe 3776 reg.exe 1264 reg.exe 1208 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe 2936 audiodgi.exe 4224 wmpmetwk.exe 4008 svchost.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 4888 d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe Token: SeDebugPrivilege 4008 svchost.exe Token: 1 4088 svchost.exe Token: SeCreateTokenPrivilege 4088 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4088 svchost.exe Token: SeLockMemoryPrivilege 4088 svchost.exe Token: SeIncreaseQuotaPrivilege 4088 svchost.exe Token: SeMachineAccountPrivilege 4088 svchost.exe Token: SeTcbPrivilege 4088 svchost.exe Token: SeSecurityPrivilege 4088 svchost.exe Token: SeTakeOwnershipPrivilege 4088 svchost.exe Token: SeLoadDriverPrivilege 4088 svchost.exe Token: SeSystemProfilePrivilege 4088 svchost.exe Token: SeSystemtimePrivilege 4088 svchost.exe Token: SeProfSingleProcessPrivilege 4088 svchost.exe Token: SeIncBasePriorityPrivilege 4088 svchost.exe Token: SeCreatePagefilePrivilege 4088 svchost.exe Token: SeCreatePermanentPrivilege 4088 svchost.exe Token: SeBackupPrivilege 4088 svchost.exe Token: SeRestorePrivilege 4088 svchost.exe Token: SeShutdownPrivilege 4088 svchost.exe Token: SeDebugPrivilege 4088 svchost.exe Token: SeAuditPrivilege 4088 svchost.exe Token: SeSystemEnvironmentPrivilege 4088 svchost.exe Token: SeChangeNotifyPrivilege 4088 svchost.exe Token: SeRemoteShutdownPrivilege 4088 svchost.exe Token: SeUndockPrivilege 4088 svchost.exe Token: SeSyncAgentPrivilege 4088 svchost.exe Token: SeEnableDelegationPrivilege 4088 svchost.exe Token: SeManageVolumePrivilege 4088 svchost.exe Token: SeImpersonatePrivilege 4088 svchost.exe Token: SeCreateGlobalPrivilege 4088 svchost.exe Token: 31 4088 svchost.exe Token: 32 4088 svchost.exe Token: 33 4088 svchost.exe Token: 34 4088 svchost.exe Token: 35 4088 svchost.exe Token: SeDebugPrivilege 2936 audiodgi.exe Token: SeDebugPrivilege 4224 wmpmetwk.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4088 svchost.exe 4088 svchost.exe 4088 svchost.exe 2712 wmpmetwk.exe 2712 wmpmetwk.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 4888 wrote to memory of 4008 4888 d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe 87 PID 4888 wrote to memory of 4008 4888 d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe 87 PID 4888 wrote to memory of 4008 4888 d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe 87 PID 4008 wrote to memory of 4088 4008 svchost.exe 88 PID 4008 wrote to memory of 4088 4008 svchost.exe 88 PID 4008 wrote to memory of 4088 4008 svchost.exe 88 PID 4008 wrote to memory of 4088 4008 svchost.exe 88 PID 4008 wrote to memory of 4088 4008 svchost.exe 88 PID 4008 wrote to memory of 4088 4008 svchost.exe 88 PID 4008 wrote to memory of 4088 4008 svchost.exe 88 PID 4008 wrote to memory of 4088 4008 svchost.exe 88 PID 4088 wrote to memory of 4856 4088 svchost.exe 89 PID 4088 wrote to memory of 4856 4088 svchost.exe 89 PID 4088 wrote to memory of 4856 4088 svchost.exe 89 PID 4088 wrote to memory of 3784 4088 svchost.exe 90 PID 4088 wrote to memory of 3784 4088 svchost.exe 90 PID 4088 wrote to memory of 3784 4088 svchost.exe 90 PID 4088 wrote to memory of 4700 4088 svchost.exe 91 PID 4088 wrote to memory of 4700 4088 svchost.exe 91 PID 4088 wrote to memory of 4700 4088 svchost.exe 91 PID 4088 wrote to memory of 4912 4088 svchost.exe 92 PID 4088 wrote to memory of 4912 4088 svchost.exe 92 PID 4088 wrote to memory of 4912 4088 svchost.exe 92 PID 4856 wrote to memory of 2036 4856 cmd.exe 98 PID 4856 wrote to memory of 2036 4856 cmd.exe 98 PID 4856 wrote to memory of 2036 4856 cmd.exe 98 PID 4700 wrote to memory of 1264 4700 cmd.exe 97 PID 4700 wrote to memory of 1264 4700 cmd.exe 97 PID 4700 wrote to memory of 1264 4700 cmd.exe 97 PID 3784 wrote to memory of 3776 3784 cmd.exe 99 PID 3784 wrote to memory of 3776 3784 cmd.exe 99 PID 3784 wrote to memory of 3776 3784 cmd.exe 99 PID 4912 wrote to memory of 1208 4912 cmd.exe 100 PID 4912 wrote to memory of 1208 4912 cmd.exe 100 PID 4912 wrote to memory of 1208 4912 cmd.exe 100 PID 4008 wrote to memory of 2936 4008 svchost.exe 101 PID 4008 wrote to memory of 2936 4008 svchost.exe 101 PID 4008 wrote to memory of 2936 4008 svchost.exe 101 PID 2936 wrote to memory of 4224 2936 audiodgi.exe 102 PID 2936 wrote to memory of 4224 2936 audiodgi.exe 102 PID 2936 wrote to memory of 4224 2936 audiodgi.exe 102 PID 4224 wrote to memory of 2712 4224 wmpmetwk.exe 103 PID 4224 wrote to memory of 2712 4224 wmpmetwk.exe 103 PID 4224 wrote to memory of 2712 4224 wmpmetwk.exe 103 PID 4224 wrote to memory of 2712 4224 wmpmetwk.exe 103 PID 4224 wrote to memory of 2712 4224 wmpmetwk.exe 103 PID 4224 wrote to memory of 2712 4224 wmpmetwk.exe 103 PID 4224 wrote to memory of 2712 4224 wmpmetwk.exe 103 PID 4224 wrote to memory of 2712 4224 wmpmetwk.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3776
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1264
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1208
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeC:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2712
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD5608ba18769d8c39ed93483afbe8d6779
SHA1aabaea18ef0da2077f38d57f2c7ccbb31581e9b1
SHA256390ccf980135935b1fd0ced301caa8468eb96f466f3570c615588e7e4fdbfd25
SHA512aec4974218a32f93b45426a6fc704544fec22287e805756a83960577c42ff9e8faa0af3cb42a17a00bebca99e14b01925185c364cfdf46fb991d415dc8be4d35
-
Filesize
10KB
MD583ce94edcf6b43e60e467a9f22705d3e
SHA10a3738cbee68a53e8d5e93f83d5b633f8ae95232
SHA256558224443ed55cc3efc377ff06ba86ef2d4c910da4d3d47c590377c487c1d63f
SHA51251675f7143d6666452dc231ffc03e0dab642f2c2c8a3d61dc567beec825ea52d45513243ea81d3873d44a66b8d7a1340f0b6e5ecac741c29d01813de8631d383
-
Filesize
478KB
MD5d6f9fd8a8720a51076be8f7b25278d4b
SHA11ca7cce3fad42b219702975306f3d8e6d62cf6e6
SHA256805d22047aa58968b27b172380eef58877f5b96177d21c77e3dd16fe891bce0b
SHA5120c973ce58e4aa0645f6b5f193e91e5e356a3956e08f054a08b44b41759bc383c3c60f9c0f5bc3db2225fd9a3097e945fc88e6c1e42c12cc0b31612219a5b69aa