Analysis
-
max time kernel
49s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 12:25
Static task
static1
Behavioral task
behavioral1
Sample
83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe
-
Size
2.8MB
-
MD5
83035d6f6c95bbee91cebfda3ce8e717
-
SHA1
c276fb8f9c498adcbfcae06e87cf1ec63f9795cc
-
SHA256
039f49f63a4173ed8451b471eef7fa40a3354fc6353213d59a51936dabfc6760
-
SHA512
45ed62ce82c24914441b1bd69bff75b5b627895abf3a9bd29edcaca68f3a45ca80e87d78db293d6b681c5e4e40dda2dd5c0ce4234f5b4872a3d7f0b34978dbaf
-
SSDEEP
49152:I7IU6ivGtlqaVwASOrfmrTEbTRjkek2FjufBaCOh5PaOcegDxpVodPgN2gh4E+gx:/+Y39mHqWN2K4E+gPdo
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\windows\system32\drivers\appld.sys 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2340 gkq2l64hj8.exe 3796 kfd1uqptmt.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3312 sc.exe 1020 sc.exe 2464 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4404 reg.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2340 gkq2l64hj8.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 5072 wrote to memory of 2340 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 94 PID 5072 wrote to memory of 2340 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 94 PID 5072 wrote to memory of 5060 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 96 PID 5072 wrote to memory of 5060 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 96 PID 5060 wrote to memory of 3948 5060 cmd.exe 100 PID 5060 wrote to memory of 3948 5060 cmd.exe 100 PID 5060 wrote to memory of 3832 5060 cmd.exe 101 PID 5060 wrote to memory of 3832 5060 cmd.exe 101 PID 5060 wrote to memory of 444 5060 cmd.exe 102 PID 5060 wrote to memory of 444 5060 cmd.exe 102 PID 5060 wrote to memory of 3996 5060 cmd.exe 103 PID 5060 wrote to memory of 3996 5060 cmd.exe 103 PID 5060 wrote to memory of 4636 5060 cmd.exe 104 PID 5060 wrote to memory of 4636 5060 cmd.exe 104 PID 5060 wrote to memory of 4404 5060 cmd.exe 105 PID 5060 wrote to memory of 4404 5060 cmd.exe 105 PID 5060 wrote to memory of 1992 5060 cmd.exe 106 PID 5060 wrote to memory of 1992 5060 cmd.exe 106 PID 5060 wrote to memory of 1732 5060 cmd.exe 107 PID 5060 wrote to memory of 1732 5060 cmd.exe 107 PID 5060 wrote to memory of 2444 5060 cmd.exe 108 PID 5060 wrote to memory of 2444 5060 cmd.exe 108 PID 5060 wrote to memory of 2880 5060 cmd.exe 109 PID 5060 wrote to memory of 2880 5060 cmd.exe 109 PID 5060 wrote to memory of 2124 5060 cmd.exe 110 PID 5060 wrote to memory of 2124 5060 cmd.exe 110 PID 5060 wrote to memory of 1100 5060 cmd.exe 111 PID 5060 wrote to memory of 1100 5060 cmd.exe 111 PID 5060 wrote to memory of 2476 5060 cmd.exe 112 PID 5060 wrote to memory of 2476 5060 cmd.exe 112 PID 5060 wrote to memory of 3304 5060 cmd.exe 113 PID 5060 wrote to memory of 3304 5060 cmd.exe 113 PID 5060 wrote to memory of 4832 5060 cmd.exe 114 PID 5060 wrote to memory of 4832 5060 cmd.exe 114 PID 5060 wrote to memory of 2708 5060 cmd.exe 115 PID 5060 wrote to memory of 2708 5060 cmd.exe 115 PID 5072 wrote to memory of 3796 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 120 PID 5072 wrote to memory of 3796 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 120 PID 3796 wrote to memory of 3900 3796 kfd1uqptmt.exe 122 PID 3796 wrote to memory of 3900 3796 kfd1uqptmt.exe 122 PID 5072 wrote to memory of 3312 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 123 PID 5072 wrote to memory of 3312 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 123 PID 5072 wrote to memory of 1020 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 125 PID 5072 wrote to memory of 1020 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 125 PID 5072 wrote to memory of 2464 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 127 PID 5072 wrote to memory of 2464 5072 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 127 PID 5060 wrote to memory of 4812 5060 cmd.exe 133 PID 5060 wrote to memory of 4812 5060 cmd.exe 133
Processes
-
C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\gkq2l64hj8.exe"C:\Users\Admin\AppData\Local\Temp\gkq2l64hj8.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b135idns21.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk\Security" /f3⤵PID:3948
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk" /f3⤵PID:3832
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc\Security" /f3⤵PID:444
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc" /f3⤵PID:3996
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard" /f3⤵PID:4636
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT-Win64-Shipping.exe" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4404
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count" /f3⤵PID:1992
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" /f3⤵PID:1732
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count" /f3⤵PID:2444
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /f3⤵PID:2880
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count" /f3⤵PID:2124
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count" /f3⤵PID:1100
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count" /f3⤵PID:2476
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count" /f3⤵PID:3304
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count" /f3⤵PID:4832
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\riotclient" /f3⤵PID:2708
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f3⤵PID:4812
-
-
-
C:\Users\Admin\AppData\Local\Temp\kfd1uqptmt.exe"C:\Users\Admin\AppData\Local\Temp\kfd1uqptmt.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color 973⤵PID:3900
-
-
-
C:\Windows\SYSTEM32\sc.exesc stop appld2⤵
- Launches sc.exe
PID:3312
-
-
C:\Windows\SYSTEM32\sc.exesc delete appld2⤵
- Launches sc.exe
PID:1020
-
-
C:\Windows\SYSTEM32\sc.exesc create appld binpath= C:\windows\system32\drivers\appld.sys type= kernel start= boot2⤵
- Launches sc.exe
PID:2464
-
-
C:\Windows\System32\shutdown.exeC:\Windows\System32\shutdown /r /t 02⤵PID:3912
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38ac855 /state1:0x41c64e6d1⤵PID:648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5ff773fbe0ab771b04b82316c89f20654
SHA1d37bcca4ff0d80d5d02d4e5ab942a945edfb0fba
SHA256f4907982695edaf608648b6e1984a0aea68057d428cbc82ebceba3d3074cfb7b
SHA512528dc36c1e03650f57a8cf63e5d3c637290c5c450343065ab2cfc034d60114362953d144115e35956a8a34d2442ebfb4ca2c95943d8dd0f9f0eb58e563c7f313
-
Filesize
126KB
MD58eded2a6dd7097e60abfa7292d3b23c0
SHA1099688e74e257495636c96b34b2d59724c271a8c
SHA2561b48f91b77fc85eec79786f908e0eaeff050cdaee49471ee0c2be92e05c972bd
SHA5121733b6e583ad92a64ba2a561c7c5b333df2f59b1aec97d7627a9e257acdcb553e9907fe701a4bb094f4b4ec44b04f50f833ccfe11d5dbf171e9fd5fe1db7397d
-
Filesize
343KB
MD5060f3da224758a17ba766353dccd4d82
SHA1b58ba5133ecb4ed8968733b2207058505fbefdf3
SHA2569ef5644ff3befc763b4ab7b8bf0ba7e8ebda43d98e5e8d753f95fe9cdaec7645
SHA512af06364339814b4c9058f3acf2214842e381f988f87b4b694bcb06cb55cf749d76e117ef2fc4a0f80c530d0ef51e6ee3171045d37a260e6456c0f363b41baaa7