Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe
-
Size
220KB
-
MD5
4e62ce349bf0b83eb5290e166f8b1640
-
SHA1
2cfed0ac41cef40837ae9efff2ac53a0fcb4a7c6
-
SHA256
cc3a14fc4597290919d7f8b806634f722a50eead9319bd115a84cb0cd3691227
-
SHA512
4204502044adb6c429d85eea7ad656f6677361e716f606a44b469006e9fc33fd527d12a58255a46abf192f80e77256ab434f211ffefd7eba098a8236d2b93ebc
-
SSDEEP
3072:4Vnaqq7y2RpRlrtowJL1rnEbgQInHNY5aMdflZs68jv:ynaqq7J3iuhWgrntShyv
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a5900ac.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5900a = "C:\\a5900ac\\a5900ac.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*5900a = "C:\\a5900ac\\a5900ac.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5900ac = "C:\\Users\\Admin\\AppData\\Roaming\\a5900ac.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*5900ac = "C:\\Users\\Admin\\AppData\\Roaming\\a5900ac.exe" explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 880 vssadmin.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1996 4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe 2572 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2968 vssvc.exe Token: SeRestorePrivilege 2968 vssvc.exe Token: SeAuditPrivilege 2968 vssvc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1996 4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2572 1996 4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2572 1996 4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2572 1996 4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2572 1996 4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe 30 PID 2572 wrote to memory of 2160 2572 explorer.exe 31 PID 2572 wrote to memory of 2160 2572 explorer.exe 31 PID 2572 wrote to memory of 2160 2572 explorer.exe 31 PID 2572 wrote to memory of 2160 2572 explorer.exe 31 PID 2572 wrote to memory of 880 2572 explorer.exe 32 PID 2572 wrote to memory of 880 2572 explorer.exe 32 PID 2572 wrote to memory of 880 2572 explorer.exe 32 PID 2572 wrote to memory of 880 2572 explorer.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\syswow64\svchost.exe-k netsvcs3⤵
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:880
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968