Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2024, 13:33
Behavioral task
behavioral1
Sample
7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe
-
Size
26KB
-
MD5
7f613c411aad6b58617e38cc4b1b4c85
-
SHA1
23410f4e6f6747a2b5cda5d17e16436d57e78404
-
SHA256
e4ebf230fc93ac36cdd5bf0ab54ecf0826463cfc347b7bbfb285358b03baf371
-
SHA512
3a053b666b813b5582a4ed5637d792452fa12b4bafc95bacf87a6d8ddad3bee1f62b45ede6ce604f30c3f1f13db48f58117d30ce17744dc2784fc0b438a415d6
-
SSDEEP
384:hC0qXGBiy6zJwTsFXE2sqEFxIb9HY7QsRem2dSst6BoYPHgYwhoSkf0:k0vAdFMsFST89HY7QsYdkfYb/
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023c9e-4.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
resource yara_rule behavioral2/memory/832-0-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/files/0x0007000000023c9e-4.dat upx behavioral2/memory/832-5-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral2/memory/832-11-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral2/memory/832-10-0x0000000000400000-0x0000000000409000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\fOnts\CSzZ3gVtf.Ttf 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe File opened for modification C:\Windows\fonts\zEfE48cw9EmcFaR.fon 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32\ThreadingModel = "Apartment" 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F} 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32\ = "C:\\Windows\\fonts\\zEfE48cw9EmcFaR.fon" 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe Token: SeDebugPrivilege 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 832 wrote to memory of 1108 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe 93 PID 832 wrote to memory of 1108 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe 93 PID 832 wrote to memory of 1108 832 7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f613c411aad6b58617e38cc4b1b4c85_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7F613C~1.EXE >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:1108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5584f0041fd2b2e6a8af0db1dd279cfc0
SHA110935bc357f56074a0e0bdcdf82dd9ce6cd11585
SHA2567d62e1e1f60b63126caa22299a379337f310a93328b142ade02a8bcbbccbdf3d
SHA512e4c790fc969a1881a187036d6173e26184243203de3476f6d4bd3c01ca8abce2a61989b7bd05c96dfc224058ab6280b10a44527b02e84cf5b2e2c6179297257f