Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 12:04
Behavioral task
behavioral1
Sample
e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe
-
Size
302KB
-
MD5
e912f3304ad024cd5f372e9841dca40e
-
SHA1
6143abd6ae53f88316c3c8b6b8e0a276b350caba
-
SHA256
25b9faa0e98219baa584af25043ae37184dc2ab41e30da04f54e0afde2d55c59
-
SHA512
b02724ff3663ca5aa3c7dba9745b04da6123dd7b21e6992a7739f0d8d552e85b116afc54b5fc3d757a821111d63886750f2c32087f657251a4cf54110cd93888
-
SSDEEP
6144:Aa5jVb60xGvzi4h9XyVyeyD4OQPC4i6mjdee7gkXwztrgUffoS9j:A4jVb60V4CyyPYjdP7gkgzpgUXoS
Malware Config
Extracted
latentbot
pertenemene.zapto.org
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3868 FSJoiner.exe 4684 FSJoiner.exe -
resource yara_rule behavioral2/memory/3652-0-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral2/files/0x00070000000234c3-11.dat upx behavioral2/memory/3868-18-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral2/memory/3652-21-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral2/memory/4684-24-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-27-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-30-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/3868-32-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral2/memory/4684-29-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-34-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-37-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-36-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-33-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-38-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-39-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-41-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-42-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-43-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-44-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-45-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-46-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-47-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-48-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-49-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-50-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-51-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-52-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4684-53-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fsj = "C:\\Users\\Admin\\AppData\\Roaming\\fs\\FSJoiner.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3868 set thread context of 4684 3868 FSJoiner.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FSJoiner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FSJoiner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4684 FSJoiner.exe Token: SeSecurityPrivilege 4684 FSJoiner.exe Token: SeTakeOwnershipPrivilege 4684 FSJoiner.exe Token: SeLoadDriverPrivilege 4684 FSJoiner.exe Token: SeSystemProfilePrivilege 4684 FSJoiner.exe Token: SeSystemtimePrivilege 4684 FSJoiner.exe Token: SeProfSingleProcessPrivilege 4684 FSJoiner.exe Token: SeIncBasePriorityPrivilege 4684 FSJoiner.exe Token: SeCreatePagefilePrivilege 4684 FSJoiner.exe Token: SeBackupPrivilege 4684 FSJoiner.exe Token: SeRestorePrivilege 4684 FSJoiner.exe Token: SeShutdownPrivilege 4684 FSJoiner.exe Token: SeDebugPrivilege 4684 FSJoiner.exe Token: SeSystemEnvironmentPrivilege 4684 FSJoiner.exe Token: SeChangeNotifyPrivilege 4684 FSJoiner.exe Token: SeRemoteShutdownPrivilege 4684 FSJoiner.exe Token: SeUndockPrivilege 4684 FSJoiner.exe Token: SeManageVolumePrivilege 4684 FSJoiner.exe Token: SeImpersonatePrivilege 4684 FSJoiner.exe Token: SeCreateGlobalPrivilege 4684 FSJoiner.exe Token: 33 4684 FSJoiner.exe Token: 34 4684 FSJoiner.exe Token: 35 4684 FSJoiner.exe Token: 36 4684 FSJoiner.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3652 e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe 3868 FSJoiner.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3652 wrote to memory of 624 3652 e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe 82 PID 3652 wrote to memory of 624 3652 e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe 82 PID 3652 wrote to memory of 624 3652 e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe 82 PID 624 wrote to memory of 3120 624 cmd.exe 85 PID 624 wrote to memory of 3120 624 cmd.exe 85 PID 624 wrote to memory of 3120 624 cmd.exe 85 PID 3652 wrote to memory of 3868 3652 e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe 86 PID 3652 wrote to memory of 3868 3652 e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe 86 PID 3652 wrote to memory of 3868 3652 e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe 86 PID 3868 wrote to memory of 4684 3868 FSJoiner.exe 87 PID 3868 wrote to memory of 4684 3868 FSJoiner.exe 87 PID 3868 wrote to memory of 4684 3868 FSJoiner.exe 87 PID 3868 wrote to memory of 4684 3868 FSJoiner.exe 87 PID 3868 wrote to memory of 4684 3868 FSJoiner.exe 87 PID 3868 wrote to memory of 4684 3868 FSJoiner.exe 87 PID 3868 wrote to memory of 4684 3868 FSJoiner.exe 87 PID 3868 wrote to memory of 4684 3868 FSJoiner.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e912f3304ad024cd5f372e9841dca40e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240629484.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "fsj" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3120
-
-
-
C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe"C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Roaming\fs\FSJoiner.exeC:\Users\Admin\AppData\Roaming\fs\FSJoiner.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134B
MD579686e11e1add47ebf72114c3ad5735b
SHA19108768456cca6edd324dcb4dca83a7b0d540e14
SHA256f5f02c8fd1a51460b0ffb3a4d0c951c5b5b446dcf189f70d710f285afd4d49c3
SHA51231bac9f62297a84df7acec2b4fec62f55ddf2de809d33f745898223f8f4c1f6a10738d5524f48b06fc1c9256e778dae353fc4e830f98c7846d545de9cbf12a6b
-
Filesize
302KB
MD59cd231f2d71913801dcb64b02959253b
SHA13abb4c9006fc556689b74e1cf67a5200fd9caa9b
SHA25604dd59e97f8f7e140f31f32b876fc9e5d0d1e754621e6160f2d32504cd43c15d
SHA5129a13ac662a4959dc30b1c9fbba5caf4f576a68e88c7f09412233398255c52bf0a54615e21c04114adf889dd176b24c8f86b9b7ff43ff4f39d3f4ec13554e758b