Analysis
-
max time kernel
31s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2024 23:34
Static task
static1
Behavioral task
behavioral1
Sample
1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe
-
Size
61KB
-
MD5
1a4d0f0002036b4c77841100a8e05f46
-
SHA1
a9733fe6b29bfa2aed64a4fc0d9eef7083252b84
-
SHA256
dc464ff6c0a7512b6c2582f1539176f1eb409e603fecde8a3eb19661eaffe60d
-
SHA512
7c2a166c5032b83cce37e007c380805f8f90f8fa0b35958c44b8cad349f61dabd8fe3d8f811a4e6fe33f09887401d4d0965eec4f3eb4237ea1d3af4c2e8d7ea5
-
SSDEEP
768:BKsMqCXfVcWlQM9ZkiANIULTYLDwUzc80gmq3oP/oDE:BKseSM9ZkiAPgr/0O8/oo
Malware Config
Signatures
-
Renames multiple (90) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe\"" 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 api.ipify.org 7 api.ipify.org -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 704 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe 704 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 704 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4308 WMIC.exe Token: SeSecurityPrivilege 4308 WMIC.exe Token: SeTakeOwnershipPrivilege 4308 WMIC.exe Token: SeLoadDriverPrivilege 4308 WMIC.exe Token: SeSystemProfilePrivilege 4308 WMIC.exe Token: SeSystemtimePrivilege 4308 WMIC.exe Token: SeProfSingleProcessPrivilege 4308 WMIC.exe Token: SeIncBasePriorityPrivilege 4308 WMIC.exe Token: SeCreatePagefilePrivilege 4308 WMIC.exe Token: SeBackupPrivilege 4308 WMIC.exe Token: SeRestorePrivilege 4308 WMIC.exe Token: SeShutdownPrivilege 4308 WMIC.exe Token: SeDebugPrivilege 4308 WMIC.exe Token: SeSystemEnvironmentPrivilege 4308 WMIC.exe Token: SeRemoteShutdownPrivilege 4308 WMIC.exe Token: SeUndockPrivilege 4308 WMIC.exe Token: SeManageVolumePrivilege 4308 WMIC.exe Token: 33 4308 WMIC.exe Token: 34 4308 WMIC.exe Token: 35 4308 WMIC.exe Token: 36 4308 WMIC.exe Token: SeIncreaseQuotaPrivilege 4308 WMIC.exe Token: SeSecurityPrivilege 4308 WMIC.exe Token: SeTakeOwnershipPrivilege 4308 WMIC.exe Token: SeLoadDriverPrivilege 4308 WMIC.exe Token: SeSystemProfilePrivilege 4308 WMIC.exe Token: SeSystemtimePrivilege 4308 WMIC.exe Token: SeProfSingleProcessPrivilege 4308 WMIC.exe Token: SeIncBasePriorityPrivilege 4308 WMIC.exe Token: SeCreatePagefilePrivilege 4308 WMIC.exe Token: SeBackupPrivilege 4308 WMIC.exe Token: SeRestorePrivilege 4308 WMIC.exe Token: SeShutdownPrivilege 4308 WMIC.exe Token: SeDebugPrivilege 4308 WMIC.exe Token: SeSystemEnvironmentPrivilege 4308 WMIC.exe Token: SeRemoteShutdownPrivilege 4308 WMIC.exe Token: SeUndockPrivilege 4308 WMIC.exe Token: SeManageVolumePrivilege 4308 WMIC.exe Token: 33 4308 WMIC.exe Token: 34 4308 WMIC.exe Token: 35 4308 WMIC.exe Token: 36 4308 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 704 wrote to memory of 4088 704 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe 82 PID 704 wrote to memory of 4088 704 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe 82 PID 704 wrote to memory of 4088 704 1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe 82 PID 4088 wrote to memory of 4308 4088 cmd.exe 84 PID 4088 wrote to memory of 4308 4088 cmd.exe 84 PID 4088 wrote to memory of 4308 4088 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a4d0f0002036b4c77841100a8e05f46_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-