Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-10-2024 23:35
Behavioral task
behavioral1
Sample
271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe
-
Size
46KB
-
MD5
271e09bdd7b647f0939f4cd54bdc729b
-
SHA1
f5e301c48697713ef4ca48fa6b235ff707e2c014
-
SHA256
b13a50604a7b7d5a2aafb3321852662c7352c75e4f795757e70ce45ab75c12f7
-
SHA512
1ecba623a941a8361a4ddb63e7475b9e5a7ada77bca7d2cfca568eef4a5b927f5a4bb2870e5a2afdcd550bce1bfefe54bbd769149ae705c8c94532acd2b06a83
-
SSDEEP
768:sMZ7vJNs3AS+G3niSALXUHSzIRDfODftR3lNJJKvAbD/Nu07qFB18Nl:sQLJzS1yIrOdPJAAVu2skl
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\MgicRc.sys 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\MgicRc.sys svchost.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\chike.dll" 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 1136 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe 3224 svchost.exe -
resource yara_rule behavioral2/memory/1136-0-0x0000000000400000-0x0000000000418000-memory.dmp vmprotect behavioral2/memory/1136-1-0x0000000000400000-0x0000000000418000-memory.dmp vmprotect behavioral2/memory/1136-18-0x0000000000400000-0x0000000000418000-memory.dmp vmprotect -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\chike.dll 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\chike.dll 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1136 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe 1136 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe 1136 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe 1136 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe 3224 svchost.exe 3224 svchost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1136 wrote to memory of 2000 1136 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe 88 PID 1136 wrote to memory of 2000 1136 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe 88 PID 1136 wrote to memory of 2000 1136 271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\271e09bdd7b647f0939f4cd54bdc729b_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240629015.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2000
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
259B
MD58dc257227f939af27df66a48a1c60fc9
SHA16200e36aff1b2532a4185275e2952f26499d0afb
SHA25695cf0196cc6441030b40a74004cfc1c13cd185a0d30710080d945a0bcc79932b
SHA512e32ed2462e8566cd1d55e65ec764c34893d8eeb3343428f367bb208e878c384a77f7d082661cf55ac1496543bb804bb29ce0c0f4aca4c8c326f2a19fa3d9834e
-
Filesize
19KB
MD51be81d5d4b93660cdb99789e4fc59c25
SHA10382c9c3744ce862f63a097a308638cde86b69f3
SHA2562fe2d8acd961f687e5155f0ea15dbbf0a29c6aa6b8caab594a1798f4d4b10f7a
SHA512dc0e8115cf8e2a62f3138438068ca74a255fe0c3d0f719bb0650d15e355d199209a8de8d94a8b0fdef00bb24c43f923c3274174af1aa2c08174c73558a226244
-
Filesize
2KB
MD5058bf2e0728e3d36308bf49ca10b9072
SHA1ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6
SHA2569a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70
SHA512e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2