Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 01:21
Static task
static1
Behavioral task
behavioral1
Sample
fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe
-
Size
4.9MB
-
MD5
fddfeed85f23b84971cea9b28a9f4744
-
SHA1
fe5fb6eda0f25239bc0b83c8b50bfbad95f74386
-
SHA256
dbed3399932fabe6f7f863403279ac9a6b075aa307dd445df2c7060157d3063b
-
SHA512
ceec384f751e31492856ba70aad450c94b7c1f06e2acae8eb514d7b1facb6a0a5ff3ee28f6da264834829c3de9456017c46e4d63db7f54c1ab12d5985294832b
-
SSDEEP
768:E7uMqCXfB0nnpnkWCANIUazGLDwUzc80gmq3oP/oDH:E7uDn1k5APHr/0O8/oj
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Nitro family
-
Renames multiple (65) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe\"" fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\desktop.ini fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe File opened for modification C:\Users\Admin\Documents\desktop.ini fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 6 discord.com 7 discord.com 8 discord.com 9 discord.com 10 discord.com 11 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2772 fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe 2772 fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2772 fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2780 WMIC.exe Token: SeSecurityPrivilege 2780 WMIC.exe Token: SeTakeOwnershipPrivilege 2780 WMIC.exe Token: SeLoadDriverPrivilege 2780 WMIC.exe Token: SeSystemProfilePrivilege 2780 WMIC.exe Token: SeSystemtimePrivilege 2780 WMIC.exe Token: SeProfSingleProcessPrivilege 2780 WMIC.exe Token: SeIncBasePriorityPrivilege 2780 WMIC.exe Token: SeCreatePagefilePrivilege 2780 WMIC.exe Token: SeBackupPrivilege 2780 WMIC.exe Token: SeRestorePrivilege 2780 WMIC.exe Token: SeShutdownPrivilege 2780 WMIC.exe Token: SeDebugPrivilege 2780 WMIC.exe Token: SeSystemEnvironmentPrivilege 2780 WMIC.exe Token: SeRemoteShutdownPrivilege 2780 WMIC.exe Token: SeUndockPrivilege 2780 WMIC.exe Token: SeManageVolumePrivilege 2780 WMIC.exe Token: 33 2780 WMIC.exe Token: 34 2780 WMIC.exe Token: 35 2780 WMIC.exe Token: SeIncreaseQuotaPrivilege 2780 WMIC.exe Token: SeSecurityPrivilege 2780 WMIC.exe Token: SeTakeOwnershipPrivilege 2780 WMIC.exe Token: SeLoadDriverPrivilege 2780 WMIC.exe Token: SeSystemProfilePrivilege 2780 WMIC.exe Token: SeSystemtimePrivilege 2780 WMIC.exe Token: SeProfSingleProcessPrivilege 2780 WMIC.exe Token: SeIncBasePriorityPrivilege 2780 WMIC.exe Token: SeCreatePagefilePrivilege 2780 WMIC.exe Token: SeBackupPrivilege 2780 WMIC.exe Token: SeRestorePrivilege 2780 WMIC.exe Token: SeShutdownPrivilege 2780 WMIC.exe Token: SeDebugPrivilege 2780 WMIC.exe Token: SeSystemEnvironmentPrivilege 2780 WMIC.exe Token: SeRemoteShutdownPrivilege 2780 WMIC.exe Token: SeUndockPrivilege 2780 WMIC.exe Token: SeManageVolumePrivilege 2780 WMIC.exe Token: 33 2780 WMIC.exe Token: 34 2780 WMIC.exe Token: 35 2780 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2860 2772 fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe 30 PID 2772 wrote to memory of 2860 2772 fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe 30 PID 2772 wrote to memory of 2860 2772 fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe 30 PID 2772 wrote to memory of 2860 2772 fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe 30 PID 2860 wrote to memory of 2780 2860 cmd.exe 32 PID 2860 wrote to memory of 2780 2860 cmd.exe 32 PID 2860 wrote to memory of 2780 2860 cmd.exe 32 PID 2860 wrote to memory of 2780 2860 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fddfeed85f23b84971cea9b28a9f4744_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-