Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
28558cb675285ad2605c85b344360953_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
28558cb675285ad2605c85b344360953_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
28558cb675285ad2605c85b344360953_JaffaCakes118.exe
-
Size
345KB
-
MD5
28558cb675285ad2605c85b344360953
-
SHA1
e178fcdaa47e95f5b947bb5f33a711c61b8aeb57
-
SHA256
5252ad74024ea42646b742d764850ed3e95e16b74c02019315b6c6bd33e6bea4
-
SHA512
3c136f3e814039e43174006464ccea1dcbe7a793136cbe401e0d5f0a1668847df3005ebb0a7131a01055a65bc47060b6e508794943f5744315aa93707cfeb240
-
SSDEEP
6144:xbMZkl9RKKy/pFj2ORB/qW3zfSzxgSgrREtd:vlKhVvRF3zfSXt
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Drops startup file 1 IoCs
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid Process 4636 tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Monitor = "C:\\Program Files (x86)\\SCSI Monitor\\scsimon.exe" 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exedescription ioc Process File created C:\Windows\assembly\Desktop.ini 28558cb675285ad2605c85b344360953_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exedescription pid Process procid_target PID 1408 set thread context of 2220 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 90 -
Drops file in Program Files directory 2 IoCs
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exedescription ioc Process File created C:\Program Files (x86)\SCSI Monitor\scsimon.exe 28558cb675285ad2605c85b344360953_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\SCSI Monitor\scsimon.exe 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\assembly 28558cb675285ad2605c85b344360953_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 28558cb675285ad2605c85b344360953_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
cmd.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tmp.exeschtasks.exereg.execmd.exe28558cb675285ad2605c85b344360953_JaffaCakes118.execmd.exetimeout.exeschtasks.exe28558cb675285ad2605c85b344360953_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28558cb675285ad2605c85b344360953_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 4844 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 4992 schtasks.exe 2496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exe28558cb675285ad2605c85b344360953_JaffaCakes118.exepid Process 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exepid Process 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.exe28558cb675285ad2605c85b344360953_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe Token: 33 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe Token: SeDebugPrivilege 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
28558cb675285ad2605c85b344360953_JaffaCakes118.execmd.exe28558cb675285ad2605c85b344360953_JaffaCakes118.execmd.exedescription pid Process procid_target PID 1408 wrote to memory of 3728 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 86 PID 1408 wrote to memory of 3728 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 86 PID 1408 wrote to memory of 3728 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 86 PID 3728 wrote to memory of 3352 3728 cmd.exe 88 PID 3728 wrote to memory of 3352 3728 cmd.exe 88 PID 3728 wrote to memory of 3352 3728 cmd.exe 88 PID 1408 wrote to memory of 4636 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 89 PID 1408 wrote to memory of 4636 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 89 PID 1408 wrote to memory of 4636 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 89 PID 1408 wrote to memory of 2220 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 90 PID 1408 wrote to memory of 2220 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 90 PID 1408 wrote to memory of 2220 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 90 PID 1408 wrote to memory of 2220 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 90 PID 1408 wrote to memory of 2220 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 90 PID 1408 wrote to memory of 2220 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 90 PID 1408 wrote to memory of 2220 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 90 PID 1408 wrote to memory of 2220 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 90 PID 1408 wrote to memory of 2064 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 91 PID 1408 wrote to memory of 2064 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 91 PID 1408 wrote to memory of 2064 1408 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 91 PID 2220 wrote to memory of 4992 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 93 PID 2220 wrote to memory of 4992 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 93 PID 2220 wrote to memory of 4992 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 93 PID 2064 wrote to memory of 4844 2064 cmd.exe 95 PID 2064 wrote to memory of 4844 2064 cmd.exe 95 PID 2064 wrote to memory of 4844 2064 cmd.exe 95 PID 2220 wrote to memory of 2496 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 96 PID 2220 wrote to memory of 2496 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 96 PID 2220 wrote to memory of 2496 2220 28558cb675285ad2605c85b344360953_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\28558cb675285ad2605c85b344360953_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28558cb675285ad2605c85b344360953_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f3⤵
- System Location Discovery: System Language Discovery
PID:3352
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4636
-
-
C:\Users\Admin\AppData\Local\Temp\28558cb675285ad2605c85b344360953_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28558cb675285ad2605c85b344360953_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8CCF.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4992
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8D6C.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4844
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD581e4e2bc47a0e4ade3c2a2d18593cf77
SHA1c156b8688d7450ec4aa8bf5a4cc61879e794f008
SHA256821db79c0a9c9d88e54622203989f12e55f283dfd6ae69a4a038bcbb95942d4f
SHA512470ad5bc12aaab00760fb8efba427b6d1fd8d9a39f2bf866d3f325a4b0f72546ca9570cfeea93ecb60bfb456d35f88d65bfd94a149335d22cbb41328ef17f825
-
Filesize
1KB
MD52862e61d09852ea2886c036af0465051
SHA145e30b14543868213f7f1cba0a1e0cc840fb2cd2
SHA256d4ba6219d0aff5a36d129a8475cf35b00043d205f751f63ddd56a5c7d4a03ff3
SHA51233dfd9d12adaa19dd3d4dd7013930e233dd3ff1d114e1e86e50d20ffa848a27582eebdffc09ab974b8de86316c01da6f6254f349992ad507d0f8b13cf0e36579
-
Filesize
345KB
MD528558cb675285ad2605c85b344360953
SHA1e178fcdaa47e95f5b947bb5f33a711c61b8aeb57
SHA2565252ad74024ea42646b742d764850ed3e95e16b74c02019315b6c6bd33e6bea4
SHA5123c136f3e814039e43174006464ccea1dcbe7a793136cbe401e0d5f0a1668847df3005ebb0a7131a01055a65bc47060b6e508794943f5744315aa93707cfeb240
-
Filesize
189B
MD5dca86f6bec779bba1b58d992319e88db
SHA1844e656d3603d15ae56f36298f8031ad52935829
SHA256413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743
SHA5124b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c
-
Filesize
203KB
MD58468c7f0f541de6a339f3d158526f6fa
SHA1d99f45035367fbde27b2b86a7662b897f2c8c1e5
SHA25666ff36afc07c20d972de51a37c431fc48e6712ec45b8fb3188e1d848c227c81e
SHA512c1c504b0a8ef7a02ba43faefb8f8686d683c7e423dd9e912a2be33040bfcdafc09f8715eb199c0f27a74166c6c0310bd7409524f7366d7a480a4a8cf581a36aa