Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 14:08
Static task
static1
Behavioral task
behavioral1
Sample
e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
Resource
win10v2004-20240910-en
General
-
Target
e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe
-
Size
670KB
-
MD5
e2a988e5b401ffdeb288e248389f81e1
-
SHA1
502b0fd6ba36b55d626553c577a6c8e5ccdeb57f
-
SHA256
11bcf3928e5e39683e03fe2f3eb1bafe18feae8472538e15c85df37d0b92c67c
-
SHA512
f98ab003c12b754f65a772c6900d12d54301775951bb0d5c38ac59ab4e6dee5826a056d96c7af4f20cfde68f9b83d9740e24fc1cdc593c683a72b8377567e85c
-
SSDEEP
12288:bp5I8YTjugyCDhhta3uW99rMu8HS7WQ+gxRXKWdOueN0cut:b48YTn9G99rMDHS7WQtxRCueacC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1360 svhost.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exedescription pid process target process PID 1960 set thread context of 1360 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe svhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\assembly e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\Materials.exe:Zone.Identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
svhost.exee2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.execmd.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\Materials.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exepid process 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.execmd.exedescription pid process target process PID 1960 wrote to memory of 3660 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe cmd.exe PID 1960 wrote to memory of 3660 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe cmd.exe PID 1960 wrote to memory of 3660 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe cmd.exe PID 3660 wrote to memory of 3668 3660 cmd.exe reg.exe PID 3660 wrote to memory of 3668 3660 cmd.exe reg.exe PID 3660 wrote to memory of 3668 3660 cmd.exe reg.exe PID 1960 wrote to memory of 1360 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe svhost.exe PID 1960 wrote to memory of 1360 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe svhost.exe PID 1960 wrote to memory of 1360 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe svhost.exe PID 1960 wrote to memory of 1360 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe svhost.exe PID 1960 wrote to memory of 1360 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe svhost.exe PID 1960 wrote to memory of 1360 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe svhost.exe PID 1960 wrote to memory of 1360 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe svhost.exe PID 1960 wrote to memory of 1360 1960 e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2a988e5b401ffdeb288e248389f81e1_JaffaCakes118.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\Materials.exe.lnk" /f3⤵
- System Location Discovery: System Language Discovery
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\Materials.exeFilesize
670KB
MD5e2a988e5b401ffdeb288e248389f81e1
SHA1502b0fd6ba36b55d626553c577a6c8e5ccdeb57f
SHA25611bcf3928e5e39683e03fe2f3eb1bafe18feae8472538e15c85df37d0b92c67c
SHA512f98ab003c12b754f65a772c6900d12d54301775951bb0d5c38ac59ab4e6dee5826a056d96c7af4f20cfde68f9b83d9740e24fc1cdc593c683a72b8377567e85c
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
memory/1360-19-0x0000000074A50000-0x0000000075001000-memory.dmpFilesize
5.7MB
-
memory/1360-17-0x0000000074A50000-0x0000000075001000-memory.dmpFilesize
5.7MB
-
memory/1360-18-0x0000000074A50000-0x0000000075001000-memory.dmpFilesize
5.7MB
-
memory/1360-23-0x0000000074A50000-0x0000000075001000-memory.dmpFilesize
5.7MB
-
memory/1360-25-0x0000000074A50000-0x0000000075001000-memory.dmpFilesize
5.7MB
-
memory/1960-3-0x0000000074A52000-0x0000000074A53000-memory.dmpFilesize
4KB
-
memory/1960-4-0x0000000074A50000-0x0000000075001000-memory.dmpFilesize
5.7MB
-
memory/1960-2-0x0000000074A50000-0x0000000075001000-memory.dmpFilesize
5.7MB
-
memory/1960-1-0x0000000074A50000-0x0000000075001000-memory.dmpFilesize
5.7MB
-
memory/1960-0-0x0000000074A52000-0x0000000074A53000-memory.dmpFilesize
4KB
-
memory/1960-21-0x0000000074A50000-0x0000000075001000-memory.dmpFilesize
5.7MB