Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe
-
Size
521KB
-
MD5
14745af93b6e311e430d08382d7ad0db
-
SHA1
9dd4901c9930c3cf80320605b546d6c35d5b0a35
-
SHA256
a7e3c5ad225b1960d46a78dbd4a67e931e61b45d1257d7dc14fdaf162a916b27
-
SHA512
2b48a42145df40fac8114daad139b568753cfc18794235af5bd02f3280bb4707e828d96605ba56f11073e5ce3057f0322ca9d3a14bbec2c39c2b8de7714fe033
-
SSDEEP
6144:d25mswOyIZjyMrmhc2TawPaOt2da2k78qh90GiTwXw35lk9jgvy89:d2wRIZgOOJDz9fA35lk9N
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svvhost.exe" 14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 whatismyip.com 22 ip-address.domaintools.com 25 ip-address.domaintools.com -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2872 reg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2960 14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2960 14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2960 wrote to memory of 3456 2960 14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe 83 PID 2960 wrote to memory of 3456 2960 14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe 83 PID 2960 wrote to memory of 3456 2960 14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe 83 PID 3456 wrote to memory of 2872 3456 cmd.exe 85 PID 3456 wrote to memory of 2872 3456 cmd.exe 85 PID 3456 wrote to memory of 2872 3456 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14745af93b6e311e430d08382d7ad0db_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2872
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3