Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe
-
Size
195KB
-
MD5
8e70b7105035839b36c4af79ab9dc3e7
-
SHA1
ec864e373d03cd56b1ec2ec3ddda159eed49c66c
-
SHA256
e0ba5fab6b8c8001696856c0e1255fbeb1589925b4fdf4561f05dbef000b06a9
-
SHA512
a4dec9c687a8dda095c9a5b413a9de2d15f588d4227fa8212db7bca647c3eed97faec27d08db07c66ef1d1e211f4e74efeb3b721b0ed7dfe3ff3986e88d6524a
-
SSDEEP
3072:rpzRNYuluupWyvbOijh7UAoaI52pySvl3nW0CWcscGF8ZHmt4qB8lGpC9SSK1nD:rZRvupm9UX5WflXW5Wc88wG7GpC9yt
Malware Config
Signatures
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\nsinet.exe 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nsinet.exe 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1516-3-0x0000000010000000-0x000000001004C000-memory.dmp upx behavioral2/memory/1516-4-0x0000000010000000-0x000000001004C000-memory.dmp upx behavioral2/memory/1516-1-0x0000000010000000-0x000000001004C000-memory.dmp upx -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Instant Access\DesktopIcons\NoCreditCard.lnk 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Program Files (x86)\Instant Access\Center\NoCreditCard.lnk 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button1.gif 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button4.gif 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button3.gif 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\js\js_api_dialer.php 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\dialerexe.ini 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\Common\module.php 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button2.gif 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\dialer.ico 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Program Files (x86)\Instant Access\Multi\20091016121022\instant access.exe 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Instant Access\Center\NoCreditCard.lnk 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\dialexe.zl 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Windows\dialexe.epk 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe File created C:\Windows\dialerexe.ini 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9} 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32\ = "C:\\Windows\\SysWow64\\nsinet.exe /run" 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1516 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe 1516 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c2abc8d78153f0af3ed8dfd28fde7012
SHA1046e93d5ffde6cc19f4003972ce03979a763eff3
SHA25659d3699e07144dd3dc71e2b2be331ec9c8d9e2f734d17021680b4e31bd40386b
SHA512426c7acee0993a360bc5e1b8297835b5a4f963ff07bb79c07a87bda80a6192ffff5b2779b5105ba12591259ee675bb262ce1c7c77992307369bc254673361a60
-
Filesize
195KB
MD58e70b7105035839b36c4af79ab9dc3e7
SHA1ec864e373d03cd56b1ec2ec3ddda159eed49c66c
SHA256e0ba5fab6b8c8001696856c0e1255fbeb1589925b4fdf4561f05dbef000b06a9
SHA512a4dec9c687a8dda095c9a5b413a9de2d15f588d4227fa8212db7bca647c3eed97faec27d08db07c66ef1d1e211f4e74efeb3b721b0ed7dfe3ff3986e88d6524a
-
Filesize
680B
MD59a9b71d41b964aa053d25f020edcc118
SHA16a885fc6ceb994f43a1f41723156e83101f35b05
SHA256c44ddfc857788d4a937db7940aecedc7a99afe13ca8f936247d0eb6566b8bca9
SHA512a4af3e4f11e4669067324ae8643aba7a7da6bad170bbb7914d3bdb96e9a889f6b9378269b444c41b44cad02f3abad751a9d2c3da83c8194fbb27efe32122ee64