Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 16:57
Static task
static1
Behavioral task
behavioral1
Sample
f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe
-
Size
406KB
-
MD5
f41ab658351a04d98a8801b5ab4e98d9
-
SHA1
e431926631829cbea065d53028a707bf477a5c49
-
SHA256
d606f82a6f0d3c831cbe557bc5ecc578d12e76c419596dac936dbc9954adf9e9
-
SHA512
764b857080b0d17c0eac836dd1ed70eb587286242e0a287cad0e33112c0dc9eb143bbab8dfdf022e1aa6e388efad0d4879e14b27ca7e4def89ea9507bbf847f3
-
SSDEEP
12288:opuvWBF7oLNS3NibJHcZJ+mrtuV41kfgjdkA:gu+HQCibJ8D+mZ+gjT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation nvxdsinc.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2952 explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\nvxdsinc.exe" nvxdsinc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2952 set thread context of 2664 2952 explorer.exe 83 PID 1468 set thread context of 1208 1468 nwtray.exe 86 -
resource yara_rule behavioral2/memory/2664-21-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2664-22-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2664-23-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2664-24-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2664-25-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2664-28-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2664-27-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2664-26-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvxdsinc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nwtray.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe 5056 nvxdsinc.exe 1468 nwtray.exe 2952 explorer.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 5088 f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe Token: SeDebugPrivilege 2952 explorer.exe Token: SeIncreaseQuotaPrivilege 2664 AppLaunch.exe Token: SeSecurityPrivilege 2664 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2664 AppLaunch.exe Token: SeLoadDriverPrivilege 2664 AppLaunch.exe Token: SeSystemProfilePrivilege 2664 AppLaunch.exe Token: SeSystemtimePrivilege 2664 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2664 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2664 AppLaunch.exe Token: SeCreatePagefilePrivilege 2664 AppLaunch.exe Token: SeBackupPrivilege 2664 AppLaunch.exe Token: SeRestorePrivilege 2664 AppLaunch.exe Token: SeShutdownPrivilege 2664 AppLaunch.exe Token: SeDebugPrivilege 2664 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2664 AppLaunch.exe Token: SeChangeNotifyPrivilege 2664 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2664 AppLaunch.exe Token: SeUndockPrivilege 2664 AppLaunch.exe Token: SeManageVolumePrivilege 2664 AppLaunch.exe Token: SeImpersonatePrivilege 2664 AppLaunch.exe Token: SeCreateGlobalPrivilege 2664 AppLaunch.exe Token: 33 2664 AppLaunch.exe Token: 34 2664 AppLaunch.exe Token: 35 2664 AppLaunch.exe Token: 36 2664 AppLaunch.exe Token: SeDebugPrivilege 5056 nvxdsinc.exe Token: SeDebugPrivilege 1468 nwtray.exe Token: SeIncreaseQuotaPrivilege 1208 AppLaunch.exe Token: SeSecurityPrivilege 1208 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1208 AppLaunch.exe Token: SeLoadDriverPrivilege 1208 AppLaunch.exe Token: SeSystemProfilePrivilege 1208 AppLaunch.exe Token: SeSystemtimePrivilege 1208 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1208 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1208 AppLaunch.exe Token: SeCreatePagefilePrivilege 1208 AppLaunch.exe Token: SeBackupPrivilege 1208 AppLaunch.exe Token: SeRestorePrivilege 1208 AppLaunch.exe Token: SeShutdownPrivilege 1208 AppLaunch.exe Token: SeDebugPrivilege 1208 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1208 AppLaunch.exe Token: SeChangeNotifyPrivilege 1208 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1208 AppLaunch.exe Token: SeUndockPrivilege 1208 AppLaunch.exe Token: SeManageVolumePrivilege 1208 AppLaunch.exe Token: SeImpersonatePrivilege 1208 AppLaunch.exe Token: SeCreateGlobalPrivilege 1208 AppLaunch.exe Token: 33 1208 AppLaunch.exe Token: 34 1208 AppLaunch.exe Token: 35 1208 AppLaunch.exe Token: 36 1208 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2664 AppLaunch.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 5088 wrote to memory of 2952 5088 f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe 82 PID 5088 wrote to memory of 2952 5088 f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe 82 PID 5088 wrote to memory of 2952 5088 f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe 82 PID 2952 wrote to memory of 2664 2952 explorer.exe 83 PID 2952 wrote to memory of 2664 2952 explorer.exe 83 PID 2952 wrote to memory of 2664 2952 explorer.exe 83 PID 2952 wrote to memory of 2664 2952 explorer.exe 83 PID 2952 wrote to memory of 2664 2952 explorer.exe 83 PID 2952 wrote to memory of 2664 2952 explorer.exe 83 PID 2952 wrote to memory of 2664 2952 explorer.exe 83 PID 2952 wrote to memory of 2664 2952 explorer.exe 83 PID 2952 wrote to memory of 5056 2952 explorer.exe 84 PID 2952 wrote to memory of 5056 2952 explorer.exe 84 PID 2952 wrote to memory of 5056 2952 explorer.exe 84 PID 5056 wrote to memory of 1468 5056 nvxdsinc.exe 85 PID 5056 wrote to memory of 1468 5056 nvxdsinc.exe 85 PID 5056 wrote to memory of 1468 5056 nvxdsinc.exe 85 PID 1468 wrote to memory of 1208 1468 nwtray.exe 86 PID 1468 wrote to memory of 1208 1468 nwtray.exe 86 PID 1468 wrote to memory of 1208 1468 nwtray.exe 86 PID 1468 wrote to memory of 1208 1468 nwtray.exe 86 PID 1468 wrote to memory of 1208 1468 nwtray.exe 86 PID 1468 wrote to memory of 1208 1468 nwtray.exe 86 PID 1468 wrote to memory of 1208 1468 nwtray.exe 86 PID 1468 wrote to memory of 1208 1468 nwtray.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f41ab658351a04d98a8801b5ab4e98d9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD5ab636fd14155666b8d2d9a9f28299d18
SHA1d1fe07feb89d33e9d2cb485424fb18b053aab59d
SHA256fa6e1c8a49cc3bee6164ef4d9dc9dc29c7c77344061ee5278183733196fa7bf2
SHA5124321edced81f70bb406ada4c6e3a33d0114075e8d49211165b3dd231a9afa5cf57207bef1a31557a5d750e47d8b95a8e76f7e0f45e438e3b8fb31f69c9b2bcff
-
Filesize
39KB
MD538abcaec6ee62213f90b1717d830a1bb
SHA1d8f5849d0d3f4ccc0dfb66a9a4a0442ac66a31b9
SHA2566fee9a2c70b2cc48b0812f7cb2e09497c9c90941976f430a8f8279ad3c787768
SHA51277eaabcbc6f7a3835b6220d72c4b1cae82d2125ea971907e33b15ceeede7e4da0741c6e63e988bd782ed6eb72ad3cbcba10ea83919eafd9b95d612c43a735274
-
Filesize
406KB
MD5f41ab658351a04d98a8801b5ab4e98d9
SHA1e431926631829cbea065d53028a707bf477a5c49
SHA256d606f82a6f0d3c831cbe557bc5ecc578d12e76c419596dac936dbc9954adf9e9
SHA512764b857080b0d17c0eac836dd1ed70eb587286242e0a287cad0e33112c0dc9eb143bbab8dfdf022e1aa6e388efad0d4879e14b27ca7e4def89ea9507bbf847f3