Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe
-
Size
5.9MB
-
MD5
a8bfe7df2f4d9b547c4e85ccc89973f4
-
SHA1
270fe328a8a70efffa1419e906c1aea6055be3ac
-
SHA256
e5cba6c7c3799af656089ca87949fd6e80cb7b52f1cce0e6c90a74cc4b7b4c9e
-
SHA512
9ff7c2ced52a2de40b15f8e5007123f32dc0211d904f4e714fa9612043d304f30f24941b3bb46f82901f5633fec8446ef9626a1c3f569065198eb74dde2d9742
-
SSDEEP
98304:GvxwIPd8ETSTQcxfHdqCWS13hr1E9TrmRsb4tUPexufd8biYsSmq8Ydpe:RanuDMCWSLhE9TySUtUPecmmSp7
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" 3145b269852241f7a2dcb0250988b3cb.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3145b269852241f7a2dcb0250988b3cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" 3145b269852241f7a2dcb0250988b3cb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3145b269852241f7a2dcb0250988b3cb.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F37038-JMI8-6BFP-03JI-OXT217W6IA34} 3145b269852241f7a2dcb0250988b3cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F37038-JMI8-6BFP-03JI-OXT217W6IA34}\StubPath = "C:\\Windows\\system32\\install\\WindiwsBackup.exe Restart" 3145b269852241f7a2dcb0250988b3cb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 3528 1a88d8bf6cca42e3afa16e66b06b738e.exe 4260 3145b269852241f7a2dcb0250988b3cb.exe 3980 WindiwsBackup.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" 3145b269852241f7a2dcb0250988b3cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\WindiwsBackup.exe" 3145b269852241f7a2dcb0250988b3cb.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\install\WindiwsBackup.exe 3145b269852241f7a2dcb0250988b3cb.exe File opened for modification C:\Windows\SysWOW64\install\WindiwsBackup.exe 3145b269852241f7a2dcb0250988b3cb.exe -
resource yara_rule behavioral2/memory/4260-32-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/4260-36-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4260-99-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3048 3980 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a88d8bf6cca42e3afa16e66b06b738e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3145b269852241f7a2dcb0250988b3cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindiwsBackup.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1156 vlc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4260 3145b269852241f7a2dcb0250988b3cb.exe 4260 3145b269852241f7a2dcb0250988b3cb.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1156 vlc.exe 4940 explorer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: 33 2932 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2932 AUDIODG.EXE Token: 33 1156 vlc.exe Token: SeIncBasePriorityPrivilege 1156 vlc.exe Token: SeBackupPrivilege 4940 explorer.exe Token: SeRestorePrivilege 4940 explorer.exe Token: SeDebugPrivilege 4940 explorer.exe Token: SeDebugPrivilege 4940 explorer.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 4260 3145b269852241f7a2dcb0250988b3cb.exe 1156 vlc.exe 1156 vlc.exe 1156 vlc.exe 1156 vlc.exe 1156 vlc.exe 1156 vlc.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 1156 vlc.exe 1156 vlc.exe 1156 vlc.exe 1156 vlc.exe 1156 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1156 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3700 wrote to memory of 3528 3700 a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe 82 PID 3700 wrote to memory of 3528 3700 a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe 82 PID 3700 wrote to memory of 3528 3700 a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe 82 PID 3700 wrote to memory of 1156 3700 a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe 83 PID 3700 wrote to memory of 1156 3700 a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe 83 PID 3700 wrote to memory of 4260 3700 a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe 84 PID 3700 wrote to memory of 4260 3700 a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe 84 PID 3700 wrote to memory of 4260 3700 a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe 84 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55 PID 4260 wrote to memory of 3408 4260 3145b269852241f7a2dcb0250988b3cb.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8bfe7df2f4d9b547c4e85ccc89973f4_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\1a88d8bf6cca42e3afa16e66b06b738e.exe"C:\Users\Admin\AppData\Local\Temp\1a88d8bf6cca42e3afa16e66b06b738e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3528
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\e4657175d7d74e2186ed653b66ded75b.mp3"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe"C:\Users\Admin\AppData\Local\Temp\3145b269852241f7a2dcb0250988b3cb.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SysWOW64\install\WindiwsBackup.exe"C:\Windows\system32\install\WindiwsBackup.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 5806⤵
- Program crash
PID:3048
-
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x41c 0x2f81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3980 -ip 39801⤵PID:4404
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD5ba35670096e51b9db5c4d95243a67e66
SHA1f18d230059bc12b16bb06d8efb8d1f1a9de3f603
SHA256cc0d1c3ef2daaeb4b4dadedc1c47372c949981016184a1f4af63068b5b31847f
SHA512e7525da0347a940de43e9e307f51db956e97b91c293ef4e988cc98a0c7daaa8e0919ccfa4f4270a28cb0124759f3366b2d259d0a513d14152c84b57140a16e77
-
Filesize
290KB
MD5e41d76b1a8151af0156bbd944cd693ee
SHA1e234bb05e37aac0d6be5db78222487e0706a22eb
SHA2561876d3332e2868eaa9ccebb9ba7bfaf46bce3d71a59f79c4920393d3d6d99b21
SHA512af504866a69193d03239fd4df19430042e02ad28e7e405a33787ca9fa04db5090b3afc4a56096c5f5c0f63e4428e0f92ba34f5f5bfcaa387989c4d717eec760a
-
Filesize
224KB
MD5380c607e23b913134389fde5238a67bf
SHA1d79d87ee73feee2a60811f14c1f84010d79cce4e
SHA256dd10200a2db0967429f259a0ea519c4a852e5e87a9d53d425f9db594c9c87fed
SHA5121badb3fc7648b0cafad04d3c3ccd70d87faa999f0d3f0e03b59cdece1e5d72184b6ad837b8118d61ab462d61d4eb410ed43fcafa228a554efde80cc6a7db45b6
-
Filesize
8B
MD566216b1fe4e3b958fdd80d1b90040682
SHA1e48f8b875a1256f0c620da0f24c67acdd34f67f1
SHA256dd31da3f1d7ea81a8d07ca2c5a5a1a57fbe62ad385b1fca2ea230860fdee064a
SHA5129d3647f05533b4af027a53042b0e8a831fa225c0d36057b0f46aea3067e87c993bfb22296de2b4df97bbfaa27b3e4186379371bed1724506a5a1a3868e7414f6
-
Filesize
8B
MD59c9f13d2eb0b9aa515020a266f50ab84
SHA10da726f7d7607c68801ab9ed754da341706129bf
SHA2562d51b44319ce89ad74d0612e5ec9cda4487b7e0f08a3194d19f07c3011f4624b
SHA51219a7a11ed7ff5911c4c5c643a3b6e61134b4b0e4ea8f6023d14842e34ec72b071d959c25cf0b26565efc986402373c7ee9bfcf674df96d15431dd2e00e3cc1c5
-
Filesize
8B
MD5045ab487de8ef86e938d44d997d8f051
SHA1623e4dcf0292292acfb7acb41d05382a77004144
SHA2563edcf7793fc051c0e8003122ccacb0186f85b8ed722bcd7918944d44a790ebfd
SHA512cb2a56ddb74dac7fa02330b18bab62807c6144423fb8559cd591ebfd718dc63f07ee798da23d08c0db81992e83ef29c5fd69ed14fb00510f720d45ec7db9ad52
-
Filesize
8B
MD516b32d538f3370669df2e735f4462ccc
SHA14acb6776b091b21100a5c5020545a95d2e04c413
SHA256e31ccc2c4e4dfbe43e0422e8702ac3cf906c58b5699bad5b8890a90b4071ffb9
SHA512dc5e6faa0309930806875eb433497af62f4a936e6749ea3e3674cd025835502ed4a5b6638d82895936e4e54f265dd13aa6e3796cdd9ae021f341f3c404874c0e
-
Filesize
5.0MB
MD538407d56f81267dc167fce91e7952176
SHA1a049533a1cb687e75967ac90e27d9c2267f6ba35
SHA256473b88721778c837e7e53599b99194e9fbd37518f5bb0981f311b86c076f1ca0
SHA512859a2742b24cc364cdeefa8a4234bc716c5d4e916886524a1eea8f1d9273d12409fb8475409fe1fbbb36921d2501de4d0daf78e20ae86f7535d3be0f741b5786
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314