Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 16:33
Static task
static1
Behavioral task
behavioral1
Sample
6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
-
Size
104KB
-
MD5
6fe284c5efe5f5c415641eff9f92287b
-
SHA1
aaae1a278b19277f7c7fd2dd0c3dccc3dc30b2e3
-
SHA256
6b5c8119706e5824d1d0d2c6a6694e56750f1066c84bdf37a1e949815c36fae9
-
SHA512
795b088c90097c6988940dc70a3f720efc6893ca431caae48f7477d34a2368aedea726a23fa24e8f6366beaa4aac3f95a40997c5c0a20067473a190bdb2eedb0
-
SSDEEP
1536:KErnyDPU0gLr9Twk4KTOGHcKhgnPZcHHTuipl/oUY3Fw:DTyDPU0gLrHpOYenPZcn3lgUY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
system.exe6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exepid process 1964 system.exe 2556 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe -
Loads dropped DLL 3 IoCs
Processes:
Rundll32.exeRundll32.exepid process 3416 Rundll32.exe 396 Rundll32.exe 396 Rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" Rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Rundll32.exedescription ioc process File opened (read-only) \??\D: Rundll32.exe File opened (read-only) \??\F: Rundll32.exe -
Drops file in System32 directory 3 IoCs
Processes:
6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exesystem.exedescription ioc process File created C:\Windows\SysWOW64\system.exe 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe File created C:\Windows\SysWOW64\liwxogaa.dll system.exe File created C:\Windows\SysWOW64\qidaogaa.dll system.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Rundll32.exedescription ioc process File opened for modification C:\Program Files\KAV\CDriver.sys Rundll32.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4864 sc.exe 2164 sc.exe 2988 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
sc.exe6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exesystem.exesc.exesc.exenet1.exenet1.exeRundll32.exe6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exeRundll32.exenet.exenet.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Rundll32.exeRundll32.exepid process 3416 Rundll32.exe 3416 Rundll32.exe 3416 Rundll32.exe 3416 Rundll32.exe 3416 Rundll32.exe 3416 Rundll32.exe 3416 Rundll32.exe 3416 Rundll32.exe 3416 Rundll32.exe 3416 Rundll32.exe 396 Rundll32.exe 396 Rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 660 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exepid process 1640 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exesystem.exeRundll32.exenet.exenet.exedescription pid process target process PID 1640 wrote to memory of 1964 1640 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe system.exe PID 1640 wrote to memory of 1964 1640 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe system.exe PID 1640 wrote to memory of 1964 1640 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe system.exe PID 1964 wrote to memory of 3416 1964 system.exe Rundll32.exe PID 1964 wrote to memory of 3416 1964 system.exe Rundll32.exe PID 1964 wrote to memory of 3416 1964 system.exe Rundll32.exe PID 3416 wrote to memory of 3488 3416 Rundll32.exe net.exe PID 3416 wrote to memory of 3488 3416 Rundll32.exe net.exe PID 3416 wrote to memory of 3488 3416 Rundll32.exe net.exe PID 3416 wrote to memory of 3112 3416 Rundll32.exe net.exe PID 3416 wrote to memory of 3112 3416 Rundll32.exe net.exe PID 3416 wrote to memory of 3112 3416 Rundll32.exe net.exe PID 3416 wrote to memory of 2164 3416 Rundll32.exe sc.exe PID 3416 wrote to memory of 2164 3416 Rundll32.exe sc.exe PID 3416 wrote to memory of 2164 3416 Rundll32.exe sc.exe PID 3416 wrote to memory of 4864 3416 Rundll32.exe sc.exe PID 3416 wrote to memory of 4864 3416 Rundll32.exe sc.exe PID 3416 wrote to memory of 4864 3416 Rundll32.exe sc.exe PID 3112 wrote to memory of 2940 3112 net.exe net1.exe PID 3112 wrote to memory of 2940 3112 net.exe net1.exe PID 3112 wrote to memory of 2940 3112 net.exe net1.exe PID 3488 wrote to memory of 2532 3488 net.exe net1.exe PID 3488 wrote to memory of 2532 3488 net.exe net1.exe PID 3488 wrote to memory of 2532 3488 net.exe net1.exe PID 3416 wrote to memory of 2988 3416 Rundll32.exe sc.exe PID 3416 wrote to memory of 2988 3416 Rundll32.exe sc.exe PID 3416 wrote to memory of 2988 3416 Rundll32.exe sc.exe PID 1964 wrote to memory of 396 1964 system.exe Rundll32.exe PID 1964 wrote to memory of 396 1964 system.exe Rundll32.exe PID 1964 wrote to memory of 396 1964 system.exe Rundll32.exe PID 1640 wrote to memory of 2556 1640 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe PID 1640 wrote to memory of 2556 1640 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe PID 1640 wrote to memory of 2556 1640 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe 6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\liwxogaa.dll Exucute3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\net.exenet stop WinDefend4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend5⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop PolicyAgent4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\qidaogaa.dll Exucute3⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:396 -
C:\Users\Admin\AppData\Local\Temp\6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\6fe284c5efe5f5c415641eff9f92287b_JaffaCakes118.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5660ab547a21098a1fabc53e1004666fd
SHA120ac23294a610e9601da4fce09fc2bed46f0ddb3
SHA2569bdb691f0dd376fdae9c73af9b1b845a382f36481fc66d772b940404b1609927
SHA512071f26a9d9f3ce86f0538900bdda37c9d6b6b4913d014da8535204265e8490b6c6c2ad3de2d90187e264505b1c1824fcbacd8d252eccb10998d864ff9985b045
-
Filesize
4.3MB
MD56c7cdd25c2cb0073306eb22aebfc663f
SHA1a1eba8ab49272b9852fe6a543677e8af36271248
SHA25658280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705
SHA51217344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6
-
Filesize
53KB
MD5210995930b8b604e08ffa28b72be5cf6
SHA11f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe
SHA256f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce
SHA512e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711
-
Filesize
19KB
MD59b9c0567821894bc58c5995e736945b2
SHA1c5c16d11ba9c6e85adc36e82f5fea887a919e57c
SHA256289446fb219412fc030e325bd1ab564af9e1e1aec2498061aae82e54e83ed680
SHA512cec402f5cf281dc47f69151af0c88ce07065b72c5b4dd749856e80ef067af69217478acf9e4d6feab9e65875483963db1067d3da844398d4f4d5cf1da8f937e9
-
Filesize
77KB
MD5a7bff79cd3dfbfaf79561c6b5374a988
SHA1c70c847e6605243ac95fed8e7a10752351085afb
SHA256b07c0a213612ca036e9789f195053e81c7e6ffe6544b4a0895025c79ef924a49
SHA512a607abd20dec551497f12f967bfbc29eacb45b878d712beaacdb70e9dbcea0a430aadcb1a6505526e9e6edd77f4de6832c92cc4d9c2cff9c764e132ea0dcb497