Analysis
-
max time kernel
138s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-10-2024 12:17
Static task
static1
Behavioral task
behavioral1
Sample
52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe
-
Size
9.0MB
-
MD5
52068d2c83ead1110b9b14a5c04f60a6
-
SHA1
e7e07ec9e933535d23f313d020970013b99a4623
-
SHA256
196330c1c1542c8c37990c62be98390f691914b83ad9f5be7f581e2f1668bd2e
-
SHA512
c0ab8781b345001052d59646f9f75a7513553544d60b2ec5db0709e873f35eed1eb552689f22d0b328681a0b2d6fedab105f8d6a62713a96b51ce73414c43cd6
-
SSDEEP
196608:NXXafSzHXxF23x6y6kp1S7I05v95vi1zwr9w:tXr363YEYU05v9ANwr9w
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3416 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\assembly 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3416 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe Token: SeRestorePrivilege 5012 dw20.exe Token: SeBackupPrivilege 5012 dw20.exe Token: SeBackupPrivilege 5012 dw20.exe Token: SeBackupPrivilege 5012 dw20.exe Token: SeBackupPrivilege 5012 dw20.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3416 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe 3416 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3416 wrote to memory of 5012 3416 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe 94 PID 3416 wrote to memory of 5012 3416 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe 94 PID 3416 wrote to memory of 5012 3416 52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\52068d2c83ead1110b9b14a5c04f60a6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 26362⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
893KB
MD504ad4b80880b32c94be8d0886482c774
SHA1344faf61c3eb76f4a2fb6452e83ed16c9cce73e0
SHA256a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338
SHA5123e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb
-
Filesize
422KB
MD581856194df285acac2074060a0254285
SHA1849c979e555cc0ba25655b1f77dc66c68a760349
SHA25635f845292c2ea5a01e4645e3080f070dbf71d358647abeb6a06ec3450111c239
SHA512f642f98d5dac1a9d721bf63925d7dbcb85343add339889ab9c81d92661c0232136ef45f7a2b303ab3841903c438215840d3eb07a7f51254c4c721fe9ad933746
-
Filesize
16KB
MD554a95794e8eeca63bd4528c49c8d29aa
SHA17b5d5c4509cc0427a3763f837c9559f77ee026ab
SHA256d657eaa2129924465ced171a5d8f83c921b100ad627d4bb2e0756f8f951d4bad
SHA512291c4db2a5908b00fc2ec03891b6cfc5096083dd9a41b1725361029e605f32c34236ef1271d9b07d26ded21e2711937ab7b270387b136bb9a4584c42d0960f1a
-
Filesize
123KB
MD5d3a5b20d5368c1bcabe655b57b52d097
SHA1015cf89260f3e8f0b86f5a17558125c933692989
SHA256e9cca17c4320baac34e9ea5a41357ae0baffdd1beed813c2ef1f82d1179e9868
SHA5121fd0889623b195a6faf905a2a662fc08173e76ac9490e2aaf9a96390f2184d71c1d5f29c61553bab34a3ea4626226fbd9eba4a2085afb5994290c31fb87a68c0
-
Filesize
1KB
MD5a4e8256a2e4a02a43306c3a22d35b5a2
SHA17da50be2ca88768be38909ba3120ce6086857046
SHA2568dae79340e4ccc777578cd0351df4f0d221c9a0b0bc3e271e3c276d783813c1a
SHA512923757d67f0fe3c5a4d5778e1282f45328dfb986875dd261ca0bb3c8bb8bc3603f9fb79ae2167b5efafa827eaf4cea87519a00eff56b10859858ef051ad0ae4c
-
Filesize
2KB
MD5c3eb08a090aee8b59de7553b7f47f596
SHA120fd7416d60b7af37f647d57b9e9cb6264cc47cb
SHA2563607a8c59fef2e6095ca6f095c625917c177145ec6c97c297c0a06e32d3f6163
SHA5121666ef245667a6379f75b7ad3e64aff6b6284796baaf5eb28089e471bce342d24254f815ec6da701042e50d407f3805f3b138db80848c401bfaecf36c6b34e86
-
Filesize
2KB
MD54012c3a9d0277a6dbfdb9420ba133d48
SHA1c5df10bfa0f800b219213bb3831cfbae6d63182d
SHA256d4381907680fb9480560457427b7904bc92dd7f4174ae1773623ad56a6baa435
SHA512fe8725fc8fbac163e8e09e446ff06a5a5f1917605de6abe011ccb6ee76500b2e08ec1e2ff1305567f75e245fc9ec9153020e4b9969e17c57a677226939c16c72
-
Filesize
2KB
MD5dd9f74838ed702f21c2ffa7ccc8ae529
SHA1e25394e8fc0e700c96ed5776c524bd266fcd7afa
SHA256635d0a6bc628ff0320c068ce7f4e512ab2de35cead113ccae55183a7e79676c9
SHA512d27e042dda2ed3200abdd847348e3d10c64fc72ea71a1aa678275fb9476c49ceee60995033bac82e66796f30d90a8e350b580ad58587954d18fe53c9bfbbdf8a
-
Filesize
2KB
MD57e79eb607b7f94a89e5c511d0a3f53d4
SHA135e5584f47bfac3f9c77d7f06cdd82f3800b631a
SHA256baf4e62a295068f515123cb247ddfb21ab6c0b722bc8fd826c4aa8b520ec2a07
SHA512afe80191526cde38a3d9992ed6ee0cdeeda5cbecd17377a4d8fa760ceb4fb4e9a19ff9f8b5333be01e94f13f96148489bc0f0bbb26922849ce33a84389c8eff7
-
Filesize
2KB
MD539834daecf46f88963283390dc351ecb
SHA1c913ff5680ef90b913db76344e2745250ae00be3
SHA256cc355b3f55da3b44d5c065c7bd7ae2e62667bfe95b9d783f03c3fbd9ad424a2d
SHA512f4f7a6dd4036025f503d7a2eff1d3065180d1f13f3041394238acf299d6044c430231905a6db9f82082422ab82a24319eaf78c9011189ca9bc4bc64f17cd223d
-
Filesize
2KB
MD57f9f336ce0b8f6c9d3752d07a5622ed1
SHA13ad105a0f3a2119460da465b714e0da1e076fe51
SHA2569edb6e0bdec45a27b4928b6e29ff34c6686939afe474cbc42e79267950311424
SHA51213f4be6eeb83e148590ade1433e9c94347e7febabd9273702dafc74c18822471b0544f741eeda7ee7516a8f809529f159d219740e740956983e74b14e152cc66
-
Filesize
2KB
MD51f57d603d37bac4c562f06db1dfb23db
SHA195dc7b3a2930076a74aca7d4332cc4d4a5a3412b
SHA25677c99ec82b9535599c5ff320be854f538a29430589ec4b596e6b053507fa4f0f
SHA512de6ab4a5d64231bf1d3f18b75cdd03ae609b72d1df96c2d4d942e29e07452852422231a013a8b35cd911c3fab78cd352e7fbcf144d94087f32c64305f48dfbf5
-
Filesize
3KB
MD527d48b80a83102877dc491565d43bbea
SHA19cbab2de418115a086bcae9a74fc89518fd41bb6
SHA25635f9831f1f5d56bf14c42da7bde3c2432516b1f0718f768fb5422e762b434b17
SHA512c4038d7294e46e5e7ba8cf65db43d7ca84100a9e1053d16bf83da5e4c4e4fc8084334ac70a872263ee78746b805ff2138974e77486a2a9a3739967dc6e5e5bde
-
Filesize
3KB
MD500e4b49c30d88ae3f51e3ce255ad2cf1
SHA1cdd3deb200eacde9e16b074eb7408d08c9263456
SHA2563f28e957b13f5d2ac2780f5f52f9823363637ebddd11acda0d01f06a3c489d52
SHA5125b92caba84609ba9c08f0328c7421550ebf43f522f1c52fbd12767d7f49c25d7d0cf660d4a0bebe0a75aae8a986e991e24e1f44445e4f94ecfee5d7dadd2fab0
-
Filesize
1KB
MD5e5283c1bff1e0ceddad252939c024a95
SHA192ebfe56f0baef0fa6a4e82db5185516fac1fbd0
SHA256155e2fac3c7d5330c66c69c0def9d22954f8cec851fb27e6d2410e5ef7892a09
SHA512d8c467c27ac2d7044a9aa6c822a21964fb33e2d88b8ac553263ddcfd2d8abbdabe87699f3333744d77e96030d7731080d96d1c97226cd693c3d63c61d52ffce7