a9e43ba03fe9dc960295d36d9230b7e561f341d831a3e401ae68a4ef28daabf1

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe
Size

101KB
MD5

168e338a0fbb22b7cf63924d436afe1a
SHA1

d7a92c88d7c5004049387d5d42e292d418f6a397
SHA256

a9e43ba03fe9dc960295d36d9230b7e561f341d831a3e401ae68a4ef28daabf1
SHA512

ea5a37e1282d150fe137992b2e3f60d3a5b2391eeaaabdcd22910b1c5c829aa36d56963b3eab9bdf7f3c6743362416c3ce284c30ee34c96be7eb7fed16cbcd74
SSDEEP

1536:DhgEVEdBQg311Fu0DAq/BfBNM1c5ALltMuJcG5kXOezNoRIQxwaheVPiXEAPrVMC:9LE3511sotrKLMuv2zyIMwmeVaH73uK

Score

8^/10

defense_evasion discovery upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\PCIDump.sys	DS_Server.exe
File opened for modification	C:\Windows\SysWOW64\drivers\PCIDump.sys	serverqb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4480	DS_Server.exe
2688	130.exe
2444	serverqb.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\serverqb.exe	DS_Server.exe
File opened for modification	C:\Windows\SysWOW64\serverqb.exe	DS_Server.exe
File created	C:\Windows\SysWOW64\serverqb.exe	serverqb.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023360-5.dat	upx
behavioral2/memory/4480-12-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/files/0x00080000000233c5-17.dat	upx
behavioral2/memory/2688-26-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/2444-37-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2688-39-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/2688-42-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/2688-46-0x0000000000400000-0x000000000048D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DS_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	130.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	serverqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4480	DS_Server.exe
Token: SeIncBasePriorityPrivilege	2444	serverqb.exe
Token: 33	868	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	868	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe
2688	130.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	130.exe
2688	130.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4480	1952	168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe	82
PID 1952 wrote to memory of 4480	1952	168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe	82
PID 1952 wrote to memory of 4480	1952	168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe	82
PID 1952 wrote to memory of 2688	1952	168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe	84
PID 1952 wrote to memory of 2688	1952	168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe	84
PID 1952 wrote to memory of 2688	1952	168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe	84
PID 4480 wrote to memory of 2444	4480	DS_Server.exe	85
PID 4480 wrote to memory of 2444	4480	DS_Server.exe	85
PID 4480 wrote to memory of 2444	4480	DS_Server.exe	85
PID 2444 wrote to memory of 2040	2444	serverqb.exe	86
PID 2444 wrote to memory of 2040	2444	serverqb.exe	86
PID 2444 wrote to memory of 2040	2444	serverqb.exe	86
PID 4480 wrote to memory of 1796	4480	DS_Server.exe	87
PID 4480 wrote to memory of 1796	4480	DS_Server.exe	87
PID 4480 wrote to memory of 1796	4480	DS_Server.exe	87

C:\Users\Admin\AppData\Local\Temp\168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\168e338a0fbb22b7cf63924d436afe1a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\DS_Server.exe
  "C:\Users\Admin\AppData\Local\Temp\DS_Server.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\serverqb.exe
    "C:\Windows\system32\serverqb.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\serverqb.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\DS_SER~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
- C:\Users\Admin\AppData\Local\Temp\130.exe
  "C:\Users\Admin\AppData\Local\Temp\130.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2688

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x448
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\130.exe

Filesize
78KB

MD5
e9a7a4078232b3aec8d1b0e58e09b1ee

SHA1
cbff227299facfa4283a80f33dceda929dfa5e27

SHA256
1482f5b621e23c7d404fa348b66c5831bcf25565553179723cd831f85d6f44e7

SHA512
2b1a31cfce1d5bc78d7522ecc9b9f0e8750d5a71f498b5ced69d7b4c1442c6a4430f407080927591df187cd6a7219d596ba195a44d66de1c35d7749fd7204f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\DS_Server.exe

Filesize
17KB

MD5
2642506650ac5ada29e46e24e6bb3d2d

SHA1
d922ac0148a343ffe6d20910f3f049a97da13900

SHA256
90677d892b05e80f6eddfc6cca1cae2b6a069c00008229942b0020e06b56df2f

SHA512
7ce91d07a53e028acbcbe4259fde8c4958833a9ae5610eaca7c05c65253a5eb0a931a3e3352d966ba9a9bdc59f7f3566a6c992a4abd4a9b727f79261fb9a1a30

Download Submit
C:\Windows\SysWOW64\drivers\PCIDump.sys

Filesize
4KB

MD5
d058dd1757e857d2cf1afcadce95a521

SHA1
3d5563ce8e7a11110d238b25711a176a63bfb703

SHA256
a0cd51ff93d087654b5ceccc279df8eb5e9783a530a3bca83a06c7f82025885d

SHA512
748937d6ae01ddbe97470754b73563c04e492d7980a8e0bbb9ed7838e85c8cff912d087204325664c3051aeba15606d23b9b507b211a6369e7ecc7bda175da44

Download Submit
memory/1952-0-0x0000000000400000-0x000000000041ADEF-memory.dmp

Filesize
107KB

Download
memory/1952-28-0x0000000000400000-0x000000000041ADEF-memory.dmp

Filesize
107KB

Download
memory/2444-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2688-26-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2688-39-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2688-42-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2688-46-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4480-12-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download