Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 20:10
Static task
static1
Behavioral task
behavioral1
Sample
49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe
-
Size
521KB
-
MD5
49c8a036eae3c0e9e599a53d98113cb2
-
SHA1
f6d872357b267e988a9ad33a196bd04eef42deb7
-
SHA256
e4e34486b6399b398c6262e7ff84a80620f3bd812682f3414ec91c362df7b957
-
SHA512
07fed586edcf61215daf6d9d6e52bb7e906fbaf8998e3b6e251a0d6097b5fa32107cf3cfa98e235ec535cd3646b532fcf72275f7ede92244f0a9ce8473d7a7df
-
SSDEEP
6144:N25mswOyIZjyMrmhc2TawqaOt2da2k78qh90GiTwXw35lk9jgvy89:N2wRIZgFOJDz9fA35lk9N
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svvhost.exe" 49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 whatismyip.com 25 ip-address.domaintools.com 27 ip-address.domaintools.com -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2736 reg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4868 49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4868 49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4868 wrote to memory of 1884 4868 49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe 87 PID 4868 wrote to memory of 1884 4868 49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe 87 PID 4868 wrote to memory of 1884 4868 49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe 87 PID 1884 wrote to memory of 2736 1884 cmd.exe 89 PID 1884 wrote to memory of 2736 1884 cmd.exe 89 PID 1884 wrote to memory of 2736 1884 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\49c8a036eae3c0e9e599a53d98113cb2_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2736
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3