Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 06:39
Static task
static1
Behavioral task
behavioral1
Sample
a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe
-
Size
61KB
-
MD5
a064b524a661ce56c911fb3b184c1b8d
-
SHA1
a39aaf5834308ce443b56d80b7cf28ad9eb8f2f2
-
SHA256
3d782b5f5304e058161dce64bf27fc5c28af23675ce6db1fc46386fb8f532c2b
-
SHA512
397fd0aa5e5bbb37e2cc703a81335eabdeada48fde13e100b876e7fcd3c79218dc59e533f000e7dbb1e0dc9986d98617249d327c42e9c5b19f7aeb4e2f0a238b
-
SSDEEP
768:gnbyhKtnWoRxqf7GNI4r8YLDwUzc80gmq3oP/oDY:gnbRw7Gxpr/0O8/ok
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Nitro family
-
Renames multiple (89) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe\"" a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe -
Drops desktop.ini file(s) 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 22 discord.com 36 discord.com 15 discord.com 16 discord.com 17 discord.com 21 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 api.ipify.org 13 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2588 a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe 2588 a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2588 a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4180 WMIC.exe Token: SeSecurityPrivilege 4180 WMIC.exe Token: SeTakeOwnershipPrivilege 4180 WMIC.exe Token: SeLoadDriverPrivilege 4180 WMIC.exe Token: SeSystemProfilePrivilege 4180 WMIC.exe Token: SeSystemtimePrivilege 4180 WMIC.exe Token: SeProfSingleProcessPrivilege 4180 WMIC.exe Token: SeIncBasePriorityPrivilege 4180 WMIC.exe Token: SeCreatePagefilePrivilege 4180 WMIC.exe Token: SeBackupPrivilege 4180 WMIC.exe Token: SeRestorePrivilege 4180 WMIC.exe Token: SeShutdownPrivilege 4180 WMIC.exe Token: SeDebugPrivilege 4180 WMIC.exe Token: SeSystemEnvironmentPrivilege 4180 WMIC.exe Token: SeRemoteShutdownPrivilege 4180 WMIC.exe Token: SeUndockPrivilege 4180 WMIC.exe Token: SeManageVolumePrivilege 4180 WMIC.exe Token: 33 4180 WMIC.exe Token: 34 4180 WMIC.exe Token: 35 4180 WMIC.exe Token: 36 4180 WMIC.exe Token: SeIncreaseQuotaPrivilege 4180 WMIC.exe Token: SeSecurityPrivilege 4180 WMIC.exe Token: SeTakeOwnershipPrivilege 4180 WMIC.exe Token: SeLoadDriverPrivilege 4180 WMIC.exe Token: SeSystemProfilePrivilege 4180 WMIC.exe Token: SeSystemtimePrivilege 4180 WMIC.exe Token: SeProfSingleProcessPrivilege 4180 WMIC.exe Token: SeIncBasePriorityPrivilege 4180 WMIC.exe Token: SeCreatePagefilePrivilege 4180 WMIC.exe Token: SeBackupPrivilege 4180 WMIC.exe Token: SeRestorePrivilege 4180 WMIC.exe Token: SeShutdownPrivilege 4180 WMIC.exe Token: SeDebugPrivilege 4180 WMIC.exe Token: SeSystemEnvironmentPrivilege 4180 WMIC.exe Token: SeRemoteShutdownPrivilege 4180 WMIC.exe Token: SeUndockPrivilege 4180 WMIC.exe Token: SeManageVolumePrivilege 4180 WMIC.exe Token: 33 4180 WMIC.exe Token: 34 4180 WMIC.exe Token: 35 4180 WMIC.exe Token: 36 4180 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2588 wrote to memory of 4500 2588 a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe 82 PID 2588 wrote to memory of 4500 2588 a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe 82 PID 2588 wrote to memory of 4500 2588 a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe 82 PID 4500 wrote to memory of 4180 4500 cmd.exe 84 PID 4500 wrote to memory of 4180 4500 cmd.exe 84 PID 4500 wrote to memory of 4180 4500 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a064b524a661ce56c911fb3b184c1b8d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-