Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 07:26
Static task
static1
Behavioral task
behavioral1
Sample
0988c935717178e91e8acd06450283a2_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
0988c935717178e91e8acd06450283a2_JaffaCakes118.exe
-
Size
3.5MB
-
MD5
0988c935717178e91e8acd06450283a2
-
SHA1
1a79ee358a1a7c36d4eef2c2c8fad16927d8390d
-
SHA256
a4dfc90bf63745e6c476ccdd748cb097064b4334478a6cc08ab517f67e6cf13d
-
SHA512
ac595eea9cb306644d2db40a092b76091eaf8b5b3a28ace83a63524eb16caf93e59845ff68241d18c4986611236451453a67a382e374fbd421a4b5d926ffa193
-
SSDEEP
98304:8p9FJR47Hh4AtBq2HmvcEcKrslUDwsUWhuqf:8/DIH7HyUEfrmATlTf
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
temp.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate temp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion temp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0988c935717178e91e8acd06450283a2_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
temp.exepid Process 4356 temp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Processes:
resource yara_rule behavioral2/files/0x0007000000023481-30.dat upx behavioral2/memory/4356-45-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral2/memory/4356-104-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral2/memory/4356-107-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral2/memory/4356-108-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral2/memory/4356-109-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral2/memory/4356-110-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0988c935717178e91e8acd06450283a2_JaffaCakes118.exevbc.execvtres.exetemp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language temp.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
temp.exedescription ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS temp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct temp.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
temp.exepid Process 4356 temp.exe 4356 temp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
temp.exedescription pid Process Token: 33 4356 temp.exe Token: SeIncBasePriorityPrivilege 4356 temp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0988c935717178e91e8acd06450283a2_JaffaCakes118.exevbc.exedescription pid Process procid_target PID 1952 wrote to memory of 4476 1952 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 81 PID 1952 wrote to memory of 4476 1952 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 81 PID 1952 wrote to memory of 4476 1952 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 81 PID 4476 wrote to memory of 912 4476 vbc.exe 83 PID 4476 wrote to memory of 912 4476 vbc.exe 83 PID 4476 wrote to memory of 912 4476 vbc.exe 83 PID 1952 wrote to memory of 4356 1952 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 84 PID 1952 wrote to memory of 4356 1952 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 84 PID 1952 wrote to memory of 4356 1952 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ee-0maks.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF898.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3270B708101946D085A5E678B42B5688.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:912
-
-
-
C:\Users\Admin\AppData\Roaming\temp.exe"C:\Users\Admin\AppData\Roaming\temp.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51d08dd3535e517108d103774d756c7b4
SHA1f48b5ba573681122c2dd0ef45f9f9ecf094dd774
SHA256c9f7c2876fe68656c7ca75049dde7bf20475419dc543a68ec85008aa045d3436
SHA512b235191c911fef6ce4de105070f3b903134301abccb05c5ab37fd0911984c07b5fb1c0448c021e604fdd5540d448ea21a16c4db14bf53ca8f501cc5e255d57db
-
Filesize
892KB
MD5f376af31deadaf2deeded400b19e6c85
SHA1e6b7552076f57f2712e0a1b137c0b829954f4738
SHA2564c91daef9324fb4744f8a4e904bdedd0f9703c5ab758d7ed717c8f6ced8a9c0a
SHA51202c152b01397f424d44f3fd4ed73e04365468ad7fd2861a796d788de7f549ab068359e66d21b632c42a8a8b02446867af67dda090582a61ab175a3969aac4aef
-
Filesize
138B
MD5317c03a5a11e395837508da657b798e6
SHA165c48b14f8d0b6a0f3c1a7aec1265237f0e9d542
SHA256d530d3462dc390c3886f98617d7674300d0e553f58ce87b34b0ac4603c0bd642
SHA5126f17b0e6ab3bca9f8faff769d095714da4988e5212166f568a2838f26be43c3faf3a48bcd0912682dedaf093d4eaa155d5aa3d972401899b5036ca89daba1c1c
-
Filesize
1.7MB
MD5fc992a01b38c22fd2fa5ab4bd83b20b9
SHA1961d4b9ef73eaa6d6e84fa2ea0a31fd53862daa0
SHA25696f28cdd93a047c39c819754fe385dfe1ed73daec9aeb35bc10b7047be4383ec
SHA512926e92cd702a1147ca0c040ad1111e8d27c2afa05dfb66b29d89985dd1af46e0c1e9fdfbf847ab515ed6e564e36687c73fd28f90fea09814ad34eeb8f72979c8
-
Filesize
652B
MD533f7a93ed8e2d4555c5e65cde9418a73
SHA1506806ff2887a0ce9d6a78aaf440b363116f47fe
SHA256d123170653233134d4b14cd08a4e379db5e41418774d6a5f8de005bdeedbb1da
SHA512dbe945579eeadf5378e7ea148c0cab0732c728446cd3bf82876e2f6a84f8a94324937777aaa1f45386a61822e4c92715275e59c37b7e7de8a11da724d32c1951
-
Filesize
3.3MB
MD5c4d6d3633382fe25a25aa4ee12a19560
SHA1c6fd5d70f7609c589757fac45811dd7c1c63f93a
SHA25627b4ea627778b5f75622daab8c736f4024778b69ca93f2ec940e3d44107902d6
SHA5127b4d1471e2c79d9b23c6fda2d0388ffdfad174f6624625df14e86be16c345696640d43564848fdc9a4a0e228c2c70d783f936e1b11a8510ec8efb533b35b6aa7