Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 22:10

General

  • Target

    3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe

  • Size

    6.1MB

  • MD5

    3c482e0e708ca8a714a5b2623f14fe6c

  • SHA1

    039ef958e0f3f331980b02103f9fd012ef370411

  • SHA256

    9931594c94b941e73879bb1818f7bb691e64885d6c8c6b877372d89f6881ee6b

  • SHA512

    134c769f040ed4a9fbdfd0946ce58e0b5264f33d215953584ea0e7e7836c899aceb6ffe2d69aefdc30fb3b671f186570b2f9462ec7eac808a8553e370a68c5a2

  • SSDEEP

    98304:f3HOZJ6BQaLV7Y8PrsR7DEbtLzRnRNcRAqN:PHOZJ6nJnDsNAtNzcR

Malware Config

Signatures

  • UAC bypass 3 TTPs 6 IoCs
  • Drops file in Drivers directory 5 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Checks computer location settings
    • Adds Run key to start application
    • Checks for any installed AV software in registry
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:444
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM MSASCui* /IM avg* /IM ash* /IM McSA*
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\SysWOW64\wbem\mofcomp.exe
      "C:\Windows\System32\wbem\mofcomp.exe" "C:\Users\Admin\AppData\Local\Temp\51.mof"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1396
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe" "Windows Protection Suite" ENABLE
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:4912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\WINSPSys\winps.cfg

    Filesize

    185B

    MD5

    b8224e5293d4fad1927c751cc00c80e7

    SHA1

    270b8c752c7e93ec5485361fe6ef7b37f0b4513b

    SHA256

    c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

    SHA512

    8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

  • C:\ProgramData\WINSPSys\winps.cfg

    Filesize

    304B

    MD5

    d37eb59c3951a633840cdf5482d00781

    SHA1

    841230605e520d101a6442b9c13f02c45e9c30bf

    SHA256

    186a88fe7ec2f79f22fa9fb7877bd3d489b0a060e924008f874223653c5d772d

    SHA512

    29f69a8f3a733d308ebf7f2128f5ec6473968fe414c3dd6a5dac3aea07391e0c21192097cacdf1d39e14c58cec72e36c39c31885569ba44692d795fec29c3835

  • C:\ProgramData\WINSPSys\winps.cfg

    Filesize

    383B

    MD5

    787dd7be2e827f03ad3cc0d9e5975c96

    SHA1

    d5ec0c1dde9e69044e979123a8e13bc29b9725a6

    SHA256

    0c86bb47cb3b90273b697fabc77cfa4a9c8c34762c674dd226bd125d14894855

    SHA512

    b5cf37ac11e09c2319d94312783332e18ff179cb356314f2ee6d226317009600265709a9be9fef4cd0403ced193fcdc11df9294b9dab22ec8ae3e43327e7aae0

  • C:\ProgramData\WINSPSys\winps.cfg

    Filesize

    676B

    MD5

    4454f72b1d3c01ea06c6988b88cb5e94

    SHA1

    b5fe7037792207c7bcb3444a1414933a79696ff9

    SHA256

    63ee263945a435cb2592534e7be36ce47ddb8868e0f9e6cba18270e4cfb8dbe5

    SHA512

    9077e437b988186b3c27a94130886269c08a7c518ec01fceb00d4c630664c52d9ed866f3d36c69692e180eda5e3733ef0f66b8f0eb8570210698307721e0c12f

  • C:\ProgramData\WINSPSys\winps.cfg

    Filesize

    1KB

    MD5

    da6f0cf81d7afd914e7959c1b8c111a8

    SHA1

    cfa145615cf76d70d2ae78fc8c354978eb958395

    SHA256

    379d1d267e6dd6954a882f713ff7ff60c9d8f44617ebdc59d956896641855e4d

    SHA512

    34a20f04ad658ffa26a16aecfdb4ce46b9dcb1aca01f461b13f0c69827aee129d2589be443bc2192426b71e85b3cf4c9624582a6c19ae5c545783e6d0a72eb36

  • C:\ProgramData\WINSPSys\winps.cfg

    Filesize

    1KB

    MD5

    ad27e086b4e233eff553804f7991d751

    SHA1

    ea4925e429ecbf3c118b5d4f634e4ff9a45b9b58

    SHA256

    461bc85ed07c7af36c2f8fc04929f5693723586e58584db9110c6b1fe462e405

    SHA512

    96752cd7d9167e338532dd66dfc1694fea4bb48285a99e4652414e168e1c5c848c94d081663a07103ede225796e10e8e25638d7f786f804772bd5e65cc153e6d

  • C:\ProgramData\WINSPSys\winps.cfg

    Filesize

    1KB

    MD5

    1c8fd15b883537c4231113a81f075f64

    SHA1

    4cbb70d4e988726902bf6849a966db52f491885b

    SHA256

    811c39e10855fe28f39eb0cc1751bb189311c23be389dbc0445793e18ec51622

    SHA512

    27f4a749a40a3be90098905ce029fe4a1cdc3ad5b9fe5387232aca8212be27ccc722878e70aa48647c4baf3db0af8532bf6834e877614bc5c0e80e9a0bd39c4f

  • C:\ProgramData\WINSPSys\winps.cfg

    Filesize

    1KB

    MD5

    7fdaf436ef3955d4b50512c57158ef9e

    SHA1

    4ccd55ccce56bd116671487f96e74a7c57f79306

    SHA256

    1c8d57152a4d1cd9bd5cc788ec6956b7661def92fc292ccd4e2edf70aa7a2a8b

    SHA512

    92c22d27c905958638f57d93a343927ccdfbbf89f2b4acd7aaba641e77003334b842a8699944c778f4ece53d14b103bd0e30b91f0a41027e3fbcba6b1a8aa788

  • C:\ProgramData\WINSPSys\winps.cfg

    Filesize

    1KB

    MD5

    aabb9c20430a8006030fda16e6a4a9c8

    SHA1

    ce450c0eeb27a8d74d059eaf8f3ddeb5e9f75d84

    SHA256

    bebc4b8f05b2c1ac60c84679149f5be5b8cbb9e0a7fe5450a89e2fb28bee6dd8

    SHA512

    bd6b2fabd4f6fd4180c8e98553ceec3f1c4822bde501a01e0aad7fade02a42e26dffea8c8b9d57dc27b61d705a9efa359e20ff64a2718ca2506976645727b8d9

  • C:\ProgramData\WINSPSys\winps.cfg

    Filesize

    1KB

    MD5

    bc62d7b6077e4fb7fbbcd99a1b460a17

    SHA1

    688cc95cd5185b70cae556b1c70b5242e6a26e87

    SHA256

    3e56515bdb81635ee98840cbee5499d3c155f2dde37f7e93b69783b229bc3b44

    SHA512

    03f27285436a0a71efcab68ed9d96c9875c82f601abfac8d00e8700dbee0a60f2c3b5b967c0b69db04d70346ad9ed0961bb77ef029ef31dca7de0ce64085231f

  • C:\Users\Admin\AppData\Local\Temp\51.mof

    Filesize

    346B

    MD5

    db6a3b1e58b3061737fd0b32b85d67a3

    SHA1

    91eba934acfefe47caedb0c84cff7ae32587f0a3

    SHA256

    28ab7348d97bdf6dc473d78d0b7af70881edb86cbc326d24ee6fa025d26ae7d0

    SHA512

    b866bba4e5c4c7ee62145552122d03c997f9e631ad36ed4969883cd37a913eab90a55f6fa0c6c9ccd575c65cdf67b92c73c1f6d0a8358a231e08ed6875e050e5

  • C:\Users\Admin\AppData\Local\Temp\WINSPSys\vd952342.bd

    Filesize

    11KB

    MD5

    940df3ee1525bec7450f486fc374fa32

    SHA1

    d214a953596c318ff5abe4a7ea98715c67ebbc4c

    SHA256

    5a162cf7d393e2f5ed32c2808289ebdfffedb7bd7bbe319fc823ede2da4ff688

    SHA512

    11e72484964548d5e7b35f80ae19719e935e6ee33a56a356f6810238b41666cb05811cf6f7c9691ade5a2b9416061582a416d77fb77971cb771c8b80844e1a16

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    791c0a6670337e84a775f110cf41aa1e

    SHA1

    001a4c581a73338cf0dd76e1bbacc924f809e275

    SHA256

    152aac04767a1689d1f724d9979bba88f2539a11ea2926cee712272557faa21c

    SHA512

    bcf3b246350b7b4b87f1b370b6d842ec2dc05d22a74ce88a94cbd6cf85f9cf935a2d850af4f12d56f6784a824c21646b81584822db0cc3936e1afff67f6accf7

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    622d501323259cb728ff50c9cfb8f85b

    SHA1

    45447458412ce8fa90e35d9e37f2cf389ddbef4d

    SHA256

    49fee3b7630760968f5e6c100c8d44ab25afc050ce0eeec69951de8b7c9b6c06

    SHA512

    30af5dd61f84546991139bf2849b3cf904fd67b90f7bf20253a7f537c0640fdda9cc1e88ddb8a267bed55bd3ba10f2f5c47f06f44ed903f3038a598ae469a9ec

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    b7291dde6522bf775216774cd42f9670

    SHA1

    56dae8ec2a43320a9f211b41b21ae263cee06448

    SHA256

    5aa5f80328630db55385f3d7bfd96b7ea2b37fe867ebbefe92d84683ad2bf17b

    SHA512

    e0af823e082ee7f8bb3a344d0df16bc52210c1c0251ec222e32623b8cc3d62b9db0d30cd1d6b3cc32b81a4f901134c7e79340889ffae4620656762a5f545a25e

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    9286dac521a9d1dce4a02e3a6b799500

    SHA1

    f39129a22b5129997860c9f4c5971fcca3edb14a

    SHA256

    c4c5d248e6298fdc02ce69ce8eb09334c88bacc2b92dd4607bb4b4fef7720fde

    SHA512

    1128eb80734dc0cd1700a6a1b4bbffe8d1446567fd476422dcd1640b71fc38f6282484b87162b2d0b053325aaa72c3a304e83202efcc578efb135afb4f387187

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    3cb900cbc0f494b73dfa9af114f1c944

    SHA1

    52f221d1850c14ec1dfa9831af1e278e8bf2e987

    SHA256

    1c34cfe1a5bff75499786d569f5a8c466969fc9f97399ed0ee271524d0e25929

    SHA512

    ed1761726ca2b524e7138b4275b6d604da4d77059975b79fd0448ca951858e0b8807cd035ada6df6d5d0f38fb696ca68eb3b370ea57efa40ed7ad594c0f48870

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    d16e68c02fe8c402432e925e91ca936e

    SHA1

    27550a30c839823564a54aa6a73faf86c42c72d2

    SHA256

    9172692ae5df8e710e9ae7ca42525609570d82fd6474575528055f3bb6b96cab

    SHA512

    0476bbdfbe0c45db8a0ddbfa228365704ccadfe1e190af445cd06c68ca42e90feab384a5ad1673909536a34822b2087fd08bce6edc5aa62a35e619b1ad1ffb03

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    dd30742dc6534822fb85e34f53d76c49

    SHA1

    edfbce039975bbfcb71243a0219c18fbec83d0df

    SHA256

    8fae5d5f754c7384f330197ed10ec29b7b7bf6411bd3a5bb02f3e345090e9e81

    SHA512

    b25a0187d24d60a93f25023fe90d5d790ead912bd3ab58dbf50e1af6a6a49d284a858e5fde8344335ae8edafe552d649c9917058979ec544e688400b35261f97

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    54f982cb956bfea832cc3bd548a5bc4c

    SHA1

    90e277ff33971ee5274a2c0b091ba9b40288256f

    SHA256

    73bcf055e432d1fe96e5a17e203b07f980f5c7e89e16d4a7a53917e2bcb885f2

    SHA512

    2ec47e58507282999db3c132a5246995a3b0ead3d220bf1914f73edbc93a7790383ae1f186621d730d8429796e1504ef0c4815489432fface12a31785093c91f

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    55a5d1f9f6365c11acfe876fd7afe077

    SHA1

    ea148590c0b0641cd5f263078630061278038c3a

    SHA256

    c79509b90c20ca9ed9e0e773d6583644d231324f99624df8421dd95c25e6a929

    SHA512

    86ecc1b94c82251aaab7e0c2444b541d9772693424443b20185205f33ff764208e03c63a863b2db3a90ff62f5a53a047551d80287c6b8cf50498a28d2c693a6a

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    a3f36a02007317a094d2eade9423d85a

    SHA1

    1986607395176a72378e7c5a744a424d6ea6c540

    SHA256

    759fee12a5d61d061e634ea8643cb0a4bf5290419278a1f35fd754b4e63d6b41

    SHA512

    d99031e5074df4a9e1c06bcb23d0a19bf0d3e8916e485a5dc44a0d7d7b4b54ea9e9b644cb303d2353b95bd7077041e53ceeb090b8e41bda82a6727b67a928b1d

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    ac69c2a6c1cd8bc8e2459ccff2dd5db1

    SHA1

    0f01415187049239993609c86c6261de2762efe5

    SHA256

    8edd22e6f97518c8c0c4ca3b1f4f4ddb93b9da473400f0dc4bdc40d56540e61b

    SHA512

    a0fff02c5d1d43555983a71058ec91ccbdf4eed035916372e24229954edeeff47f176e60f9adc2b32b7c1021db7290b4d2bc86144ad37a0341306a70e9b644cf

  • C:\Windows\System32\drivers\etc\host_new

    Filesize

    1KB

    MD5

    896525529a936564bbd08499fad4fd5d

    SHA1

    ff01c4e589e663ee37986e91d093d4274c85b92d

    SHA256

    ac6d9f8622812fa52c3ab9f20864bdc65a13c6545cfce48c9ba919f5256009c2

    SHA512

    3bded918ea86132f5ce0f222fa77ccf77bf82791a3a8a03a38132a3c2775259ef94507b6c21c61530ca7131512918e9af5261bf7e75691d93839c999712bf536

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    649286ee6e3886d2708872dd3b5016e2

    SHA1

    ed459e2f491d71e7a6b8838951d0b295e1ff3706

    SHA256

    4596c39629a763df4161e29a4cd932cec5759a671bcf636ef51c8efb8acb5aae

    SHA512

    24b38a48e834bc72344294c17b4b2573e02f0bce993a80ecb7b5e68b96c2981821f5f99d4f22d9515ba9079db6ffd59815fcd8fd2c94c71ca81e998174f63cf3

  • memory/444-0-0x0000000000400000-0x0000000000A22000-memory.dmp

    Filesize

    6.1MB

  • memory/444-846-0x0000000000400000-0x0000000000A22000-memory.dmp

    Filesize

    6.1MB

  • memory/444-847-0x0000000001050000-0x0000000001051000-memory.dmp

    Filesize

    4KB

  • memory/444-1-0x0000000001050000-0x0000000001051000-memory.dmp

    Filesize

    4KB