b5400895b5618797c36dc82b007ea707521b31b425f9a3af7754b7856e673f72

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
Size

216KB
MD5

1814bd26ef7362967ef0151d22c4fdb8
SHA1

5506d7fa24bfc070f44e4a75105d71bc2379fbcc
SHA256

b5400895b5618797c36dc82b007ea707521b31b425f9a3af7754b7856e673f72
SHA512

fd886049aa4a5365e9927e4c254b2109476d63bbf791db06ee462bd4962812af82ff39532eed42c7b69dcf025c76ea9f08b93c31db785a8244065a4caab7b0da
SSDEEP

3072:Muiqy3ePOYe4bu1epDh8RWsAcSbkKYjRMmSCH8RWXoiISUmjO3Nney9:E3yOYTuxVkURMRdUjSJ

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\loop.sys	DrvInst.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	amd64.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF	amd64.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\loop.sys	DrvInst.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Inf\Netloop.PNF	amd64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	amd64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 46 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	amd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	amd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	amd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	amd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	amd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	amd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	amd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	amd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	amd64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2396	amd64.exe
Token: SeAuditPrivilege	492	svchost.exe
Token: SeSecurityPrivilege	492	svchost.exe
Token: SeRestorePrivilege	1952	DrvInst.exe
Token: SeBackupPrivilege	1952	DrvInst.exe
Token: SeLoadDriverPrivilege	1952	DrvInst.exe
Token: SeLoadDriverPrivilege	1952	DrvInst.exe
Token: SeLoadDriverPrivilege	1952	DrvInst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3236	4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe	82
PID 4044 wrote to memory of 3236	4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe	82
PID 3236 wrote to memory of 2396	3236	cmd.exe	84
PID 3236 wrote to memory of 2396	3236	cmd.exe	84
PID 492 wrote to memory of 1952	492	svchost.exe	87
PID 492 wrote to memory of 1952	492	svchost.exe	87
PID 4044 wrote to memory of 3984	4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe	97
PID 4044 wrote to memory of 3984	4044	1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1814bd26ef7362967ef0151d22c4fdb8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\amd64.exe
    "C:\Users\Admin\AppData\Local\Temp\amd64.exe" install C:\Windows\Inf\Netloop.inf *MSLOOP
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" int ip add address name="Ethernet 2" 109.234.73.11 255.255.255.0
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:492
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\netloop.inf" "netloop.inf:db04a16c8f2dc9fb:kmloop.ndi:10.0.19041.1:*msloop," "4632877cf" "000000000000013C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\amd64.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
116B

MD5
61e3871767fb8ae1b50b40c81992ede7

SHA1
b9287a666c9419f4f39488b1b6fea5769dcb7dad

SHA256
f580868d82a0f6f413d92414b3e465bf5adacfc3dac236e33dcc0bb75bcadd69

SHA512
749beccd8ebad17746447ae0ee42f27ae0f83b3b0365832e066bf55f247106c54ed1f88f08065d1ecb8db04cf3ce99e833382262734e9c45139f6b5db31adb49

Download Submit
memory/4044-3-0x000000001BA20000-0x000000001BABC000-memory.dmp

Filesize
624KB

Download
memory/4044-0-0x00007FFE7A885000-0x00007FFE7A886000-memory.dmp

Filesize
4KB

Download
memory/4044-4-0x00007FFE7A5D0000-0x00007FFE7AF71000-memory.dmp

Filesize
9.6MB

Download
memory/4044-5-0x0000000001410000-0x0000000001418000-memory.dmp

Filesize
32KB

Download
memory/4044-6-0x00007FFE7A5D0000-0x00007FFE7AF71000-memory.dmp

Filesize
9.6MB

Download
memory/4044-7-0x00007FFE7A5D0000-0x00007FFE7AF71000-memory.dmp

Filesize
9.6MB

Download
memory/4044-8-0x00007FFE7A5D0000-0x00007FFE7AF71000-memory.dmp

Filesize
9.6MB

Download
memory/4044-2-0x000000001C000000-0x000000001C4CE000-memory.dmp

Filesize
4.8MB

Download
memory/4044-1-0x00007FFE7A5D0000-0x00007FFE7AF71000-memory.dmp

Filesize
9.6MB

Download
memory/4044-21-0x00007FFE7A885000-0x00007FFE7A886000-memory.dmp

Filesize
4KB

Download
memory/4044-22-0x00007FFE7A5D0000-0x00007FFE7AF71000-memory.dmp

Filesize
9.6MB

Download
memory/4044-23-0x00007FFE7A5D0000-0x00007FFE7AF71000-memory.dmp

Filesize
9.6MB

Download