Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2024 09:38
Static task
static1
Behavioral task
behavioral1
Sample
73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
-
Size
691KB
-
MD5
73267c2a412170b3f3df33616b1e1e8e
-
SHA1
bcc8e0537ea776cf75ea83aec75130fc5ba36b43
-
SHA256
4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3
-
SHA512
3354d9f68f4e4ba5a1d88d9d1c9e8cb8f2067f7a03bf1b60d7658b9a036d642f64d35a98ae13115795e2078dff1fbf94dfed4e71c5134b6f24600366d7d6e13e
-
SSDEEP
12288:4KmX4064w0jAQrjnY8/V1Ng6U+VAqEr4viIrvLZo4P84ldlBGPMmLbAEWBvB7:4KCR3Pzg6U+Qk97G4P84dX0Mmv5WVB
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3192 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcd9e400682bb0f4003b0aee2047a5cb.exe RuntimeBroker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcd9e400682bb0f4003b0aee2047a5cb.exe RuntimeBroker.exe -
Executes dropped EXE 3 IoCs
pid Process 4936 Insidious.exe 4676 RuntimeBroker.exe 3164 RuntimeBroker.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcd9e400682bb0f4003b0aee2047a5cb = "\"C:\\Windows\\RuntimeBroker.exe\" .." RuntimeBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fcd9e400682bb0f4003b0aee2047a5cb = "\"C:\\Windows\\RuntimeBroker.exe\" .." RuntimeBroker.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 freegeoip.app 9 freegeoip.app -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Windows\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Windows\RuntimeBroker.exe RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1940 cmd.exe 3792 PING.EXE 3572 PING.EXE -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 3192 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Insidious.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Insidious.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3792 PING.EXE 3572 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4936 Insidious.exe 4936 Insidious.exe 4936 Insidious.exe 4936 Insidious.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe 3164 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3164 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 4936 Insidious.exe Token: SeDebugPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe Token: 33 3164 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 3164 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3936 wrote to memory of 4936 3936 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 86 PID 3936 wrote to memory of 4936 3936 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 86 PID 3936 wrote to memory of 4676 3936 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 87 PID 3936 wrote to memory of 4676 3936 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 87 PID 3936 wrote to memory of 4676 3936 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 87 PID 3936 wrote to memory of 1940 3936 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 88 PID 3936 wrote to memory of 1940 3936 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 88 PID 1940 wrote to memory of 3792 1940 cmd.exe 91 PID 1940 wrote to memory of 3792 1940 cmd.exe 91 PID 1940 wrote to memory of 3572 1940 cmd.exe 92 PID 1940 wrote to memory of 3572 1940 cmd.exe 92 PID 4676 wrote to memory of 3164 4676 RuntimeBroker.exe 99 PID 4676 wrote to memory of 3164 4676 RuntimeBroker.exe 99 PID 4676 wrote to memory of 3164 4676 RuntimeBroker.exe 99 PID 3164 wrote to memory of 3192 3164 RuntimeBroker.exe 104 PID 3164 wrote to memory of 3192 3164 RuntimeBroker.exe 104 PID 3164 wrote to memory of 3192 3164 RuntimeBroker.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\RuntimeBroker.exe"C:\Windows\RuntimeBroker.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:3192
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 1003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3792
-
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 9003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3572
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b6e1b19fd6283ea8363e5c6c257c4513
SHA15e9409bccd2f1a760f9c4578f22ca081aa90f5fd
SHA256a3e3bde835c0a96b67272f53a3855095fd18288d548fe68cda303038b53a673f
SHA512a470b61bd2688b0eda2904d409fe010511e54c45467cce664f78c89c4521c325771342bfa8395233ea0521d64057fb09d01482a44c3172d7f85290e21c83436a
-
Filesize
319B
MD5da4fafeffe21b7cb3a8c170ca7911976
SHA150ef77e2451ab60f93f4db88325b897d215be5ad
SHA2567341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7
SHA5120bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6
-
Filesize
328KB
MD5f6639aa0f7e43cf09431850b3f473238
SHA13c7740ceacf062f8d71095bb440e280fdd3372ec
SHA256870859b15395ba5c50bffd2e90b230d4ebc890c9ba8f674f87862b22254ec25e
SHA5121e3fb39565e8d8f7c20e750735d79b06a97d49dbdae541f0e8e4fc97cff190d12e6bca77cef7d0018fe23f8c656d024766a05655ad6d18cdadaee2ded2b75d94
-
Filesize
260KB
MD51acabd72a026449937fc1cd16d0b5423
SHA1809ea7e21d0e3d80a6445c245daa2e018a417126
SHA25681634c88831adcb3e44d92ecd2e2a4534b50cf2d7bf001a02d68faa5d9a92bc2
SHA51240fcccd3b7aac5c5ff1bbfb2e491c4f8106e44f6e5c373b590ef2474469c8c25f44725c7d6310a242be7bec9aede4e02fa5196358d45ee620e4228866cbebb1d