Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-10-2024 23:34
Static task
static1
Behavioral task
behavioral1
Sample
1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe
-
Size
61KB
-
MD5
1a4d0f0002036b4c77841100a8e05f46
-
SHA1
a9733fe6b29bfa2aed64a4fc0d9eef7083252b84
-
SHA256
dc464ff6c0a7512b6c2582f1539176f1eb409e603fecde8a3eb19661eaffe60d
-
SHA512
7c2a166c5032b83cce37e007c380805f8f90f8fa0b35958c44b8cad349f61dabd8fe3d8f811a4e6fe33f09887401d4d0965eec4f3eb4237ea1d3af4c2e8d7ea5
-
SSDEEP
768:BKsMqCXfVcWlQM9ZkiANIULTYLDwUzc80gmq3oP/oDE:BKseSM9ZkiAPgr/0O8/oo
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe\"" 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2792 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe 2792 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2792 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2616 WMIC.exe Token: SeSecurityPrivilege 2616 WMIC.exe Token: SeTakeOwnershipPrivilege 2616 WMIC.exe Token: SeLoadDriverPrivilege 2616 WMIC.exe Token: SeSystemProfilePrivilege 2616 WMIC.exe Token: SeSystemtimePrivilege 2616 WMIC.exe Token: SeProfSingleProcessPrivilege 2616 WMIC.exe Token: SeIncBasePriorityPrivilege 2616 WMIC.exe Token: SeCreatePagefilePrivilege 2616 WMIC.exe Token: SeBackupPrivilege 2616 WMIC.exe Token: SeRestorePrivilege 2616 WMIC.exe Token: SeShutdownPrivilege 2616 WMIC.exe Token: SeDebugPrivilege 2616 WMIC.exe Token: SeSystemEnvironmentPrivilege 2616 WMIC.exe Token: SeRemoteShutdownPrivilege 2616 WMIC.exe Token: SeUndockPrivilege 2616 WMIC.exe Token: SeManageVolumePrivilege 2616 WMIC.exe Token: 33 2616 WMIC.exe Token: 34 2616 WMIC.exe Token: 35 2616 WMIC.exe Token: SeIncreaseQuotaPrivilege 2616 WMIC.exe Token: SeSecurityPrivilege 2616 WMIC.exe Token: SeTakeOwnershipPrivilege 2616 WMIC.exe Token: SeLoadDriverPrivilege 2616 WMIC.exe Token: SeSystemProfilePrivilege 2616 WMIC.exe Token: SeSystemtimePrivilege 2616 WMIC.exe Token: SeProfSingleProcessPrivilege 2616 WMIC.exe Token: SeIncBasePriorityPrivilege 2616 WMIC.exe Token: SeCreatePagefilePrivilege 2616 WMIC.exe Token: SeBackupPrivilege 2616 WMIC.exe Token: SeRestorePrivilege 2616 WMIC.exe Token: SeShutdownPrivilege 2616 WMIC.exe Token: SeDebugPrivilege 2616 WMIC.exe Token: SeSystemEnvironmentPrivilege 2616 WMIC.exe Token: SeRemoteShutdownPrivilege 2616 WMIC.exe Token: SeUndockPrivilege 2616 WMIC.exe Token: SeManageVolumePrivilege 2616 WMIC.exe Token: 33 2616 WMIC.exe Token: 34 2616 WMIC.exe Token: 35 2616 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2792 wrote to memory of 1588 2792 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe 28 PID 2792 wrote to memory of 1588 2792 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe 28 PID 2792 wrote to memory of 1588 2792 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe 28 PID 2792 wrote to memory of 1588 2792 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe 28 PID 1588 wrote to memory of 2616 1588 cmd.exe 30 PID 1588 wrote to memory of 2616 1588 cmd.exe 30 PID 1588 wrote to memory of 2616 1588 cmd.exe 30 PID 1588 wrote to memory of 2616 1588 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-