Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 22:20
Static task
static1
Behavioral task
behavioral1
Sample
a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe
-
Size
61KB
-
MD5
a9e2ab65d7f6faa65564ad05c5227246
-
SHA1
f08915e84cf8831ec354c161689057f8d5ba23a8
-
SHA256
ac8d46d555122c2f076e0804c0a588ee0f0a3183f6e4364394e5a4c61a1a10eb
-
SHA512
7cfb6e91d9da3a2c8918ede594e3387e6a6751cf13cb21cbbb664da33c132e47cf2cc86ad3587a668a0c53ef6c5a370d5751f50698ce6070383ed64a56661b85
-
SSDEEP
768:Z6gBoRjl0Gjru+A4YyYAwya9LDwUzc80gmq3oP/oDR:Z6Fl5jy+A0Yrywr/0O8/o9
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Nitro family
-
Renames multiple (94) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe\"" a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\desktop.ini a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe File opened for modification C:\Users\Admin\Documents\desktop.ini a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 9 discord.com 10 discord.com 11 discord.com 6 discord.com 7 discord.com 8 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1404 a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe 1404 a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1404 a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2460 WMIC.exe Token: SeSecurityPrivilege 2460 WMIC.exe Token: SeTakeOwnershipPrivilege 2460 WMIC.exe Token: SeLoadDriverPrivilege 2460 WMIC.exe Token: SeSystemProfilePrivilege 2460 WMIC.exe Token: SeSystemtimePrivilege 2460 WMIC.exe Token: SeProfSingleProcessPrivilege 2460 WMIC.exe Token: SeIncBasePriorityPrivilege 2460 WMIC.exe Token: SeCreatePagefilePrivilege 2460 WMIC.exe Token: SeBackupPrivilege 2460 WMIC.exe Token: SeRestorePrivilege 2460 WMIC.exe Token: SeShutdownPrivilege 2460 WMIC.exe Token: SeDebugPrivilege 2460 WMIC.exe Token: SeSystemEnvironmentPrivilege 2460 WMIC.exe Token: SeRemoteShutdownPrivilege 2460 WMIC.exe Token: SeUndockPrivilege 2460 WMIC.exe Token: SeManageVolumePrivilege 2460 WMIC.exe Token: 33 2460 WMIC.exe Token: 34 2460 WMIC.exe Token: 35 2460 WMIC.exe Token: SeIncreaseQuotaPrivilege 2460 WMIC.exe Token: SeSecurityPrivilege 2460 WMIC.exe Token: SeTakeOwnershipPrivilege 2460 WMIC.exe Token: SeLoadDriverPrivilege 2460 WMIC.exe Token: SeSystemProfilePrivilege 2460 WMIC.exe Token: SeSystemtimePrivilege 2460 WMIC.exe Token: SeProfSingleProcessPrivilege 2460 WMIC.exe Token: SeIncBasePriorityPrivilege 2460 WMIC.exe Token: SeCreatePagefilePrivilege 2460 WMIC.exe Token: SeBackupPrivilege 2460 WMIC.exe Token: SeRestorePrivilege 2460 WMIC.exe Token: SeShutdownPrivilege 2460 WMIC.exe Token: SeDebugPrivilege 2460 WMIC.exe Token: SeSystemEnvironmentPrivilege 2460 WMIC.exe Token: SeRemoteShutdownPrivilege 2460 WMIC.exe Token: SeUndockPrivilege 2460 WMIC.exe Token: SeManageVolumePrivilege 2460 WMIC.exe Token: 33 2460 WMIC.exe Token: 34 2460 WMIC.exe Token: 35 2460 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1404 wrote to memory of 572 1404 a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe 31 PID 1404 wrote to memory of 572 1404 a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe 31 PID 1404 wrote to memory of 572 1404 a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe 31 PID 1404 wrote to memory of 572 1404 a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe 31 PID 572 wrote to memory of 2460 572 cmd.exe 33 PID 572 wrote to memory of 2460 572 cmd.exe 33 PID 572 wrote to memory of 2460 572 cmd.exe 33 PID 572 wrote to memory of 2460 572 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9e2ab65d7f6faa65564ad05c5227246_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-