Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2024 19:02
Static task
static1
Behavioral task
behavioral1
Sample
ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exe
-
Size
647KB
-
MD5
ff2da6a2d2e29d76e8ee869fa07f7530
-
SHA1
ece7a717f8a6e7973c78cadf87d6449e116fe9f4
-
SHA256
2a8b2d4cf5f2054a01ea2d5c8d9b71e8f1706f74c251bb16684c98fa25b9a64d
-
SHA512
03334e7e0903ba6b4c4611443722f5c8cf07c974b7ca36d7e1a0a62a4c83bb13702d5b3761f72c288d2bf1e0fbcc4a878559a864fe3147ce8f51a00345818721
-
SSDEEP
12288:ra/rmU5El82jSlI/ExacF3gnxbCEjLz35gRHHi3xED:rav5UjSlI/EPFmOmLz35g9H4xED
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exefirewall-tmp.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation firewall-tmp.exe -
Drops startup file 1 IoCs
Processes:
firewall-tmp.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firewall-tmp.lnk firewall-tmp.exe -
Executes dropped EXE 3 IoCs
Processes:
firewall-tmp.exefirewall-tmp.exefirewall-tmp.exepid Process 344 firewall-tmp.exe 1856 firewall-tmp.exe 1324 firewall-tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
firewall-tmp.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" firewall-tmp.exe -
Processes:
firewall-tmp.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firewall-tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
firewall-tmp.exedescription pid Process procid_target PID 1856 set thread context of 1324 1856 firewall-tmp.exe 96 -
Drops file in Program Files directory 2 IoCs
Processes:
firewall-tmp.exedescription ioc Process File created C:\Program Files (x86)\DDP Service\ddpsv.exe firewall-tmp.exe File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe firewall-tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exefirewall-tmp.execmd.exefirewall-tmp.exefirewall-tmp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firewall-tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firewall-tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firewall-tmp.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
firewall-tmp.exefirewall-tmp.exepid Process 1856 firewall-tmp.exe 1856 firewall-tmp.exe 1324 firewall-tmp.exe 1324 firewall-tmp.exe 1324 firewall-tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
firewall-tmp.exepid Process 1324 firewall-tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firewall-tmp.exefirewall-tmp.exedescription pid Process Token: SeDebugPrivilege 1856 firewall-tmp.exe Token: SeDebugPrivilege 1324 firewall-tmp.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exefirewall-tmp.exefirewall-tmp.exedescription pid Process procid_target PID 4472 wrote to memory of 344 4472 ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exe 82 PID 4472 wrote to memory of 344 4472 ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exe 82 PID 4472 wrote to memory of 344 4472 ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exe 82 PID 344 wrote to memory of 1456 344 firewall-tmp.exe 91 PID 344 wrote to memory of 1456 344 firewall-tmp.exe 91 PID 344 wrote to memory of 1456 344 firewall-tmp.exe 91 PID 344 wrote to memory of 1856 344 firewall-tmp.exe 93 PID 344 wrote to memory of 1856 344 firewall-tmp.exe 93 PID 344 wrote to memory of 1856 344 firewall-tmp.exe 93 PID 1856 wrote to memory of 1324 1856 firewall-tmp.exe 96 PID 1856 wrote to memory of 1324 1856 firewall-tmp.exe 96 PID 1856 wrote to memory of 1324 1856 firewall-tmp.exe 96 PID 1856 wrote to memory of 1324 1856 firewall-tmp.exe 96 PID 1856 wrote to memory of 1324 1856 firewall-tmp.exe 96 PID 1856 wrote to memory of 1324 1856 firewall-tmp.exe 96 PID 1856 wrote to memory of 1324 1856 firewall-tmp.exe 96 PID 1856 wrote to memory of 1324 1856 firewall-tmp.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff2da6a2d2e29d76e8ee869fa07f7530_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\firewall-tmp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\firewall-tmp.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\Explorer" & exit3⤵
- System Location Discovery: System Language Discovery
PID:1456
-
-
C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"C:\Users\Admin\AppData\Roaming\Explorer\firewall-tmp.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
594B
MD5fdb26b3b547022b45cfaeee57eafd566
SHA111c6798b8a59233f404014c5e79b3363cd564b37
SHA2562707fc7f074413881b7bafca05079327b188db6005709951e7f69d39a2af97c0
SHA51244d9bb8c0f0b341690d00eda86e15a50f7f29ce9595925c1a2a7e19ad26202d10049a7a97bea278ecb7d429ad555de8edceeffff664d4b06309a9410a09bb700
-
Filesize
225KB
MD551f1ce5d176efbe96f90041f021ffc01
SHA1ea0e79728896bdb069a8415e39870e840016a067
SHA256608f68fcb0b4cbb3a2e688757ca461d14a1b15eb183f814fcfbeca882d9d1c6d
SHA51222c19013ee68e7f78633e6e3b1254fe99eb9ad6145dd1c0b0bc6e8dd952405449c55df49ae986d8886d62ce4e18b73764f98c39b806f57c56aadcbca7721619d
-
Filesize
1024KB
MD57f80c68c6a830a70710814f8f826f4f2
SHA1340d3725bd2fb249ef23b74695383acfc143f518
SHA25659148dbade1cb116605f776b6cad15e7cdd5fe0303cedaef657768face638f3e
SHA51277d3d9a24d815b8f3143a594dab9d07ddc77f40f0f26b9e12a7d22986f7505b3e02efe8bbe4caf2acc050777594e00246532bba39d45c451a68049c79cf8143d
-
Filesize
165KB
MD51c8bfc1aa27be1ef777946a6388ba879
SHA1a375d403558a3e2203237178163f65770f5ac702
SHA256ea6edfbb4f758fedc4e46256a30300bb80479cb854f83c51501e548b51bbfe72
SHA5128eccdd4d58008d6d872e3983242d1118c98583c12894dbee4d5fd6e9528cd7d6d73fad2bbc175a0ba57aa8dc6baae8caad2d816347544bda22adcf9468111d4e