Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 02:57
Behavioral task
behavioral1
Sample
JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe
-
Size
72KB
-
MD5
83e4f77cae137c7bff6a24007930ea56
-
SHA1
45139cb5e3d5dfde3a190481623a66cb6716e1af
-
SHA256
3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd
-
SHA512
a57d5d62a74a6d948db770f51497985b170c761f8c7ad849c9e6d8de902def26f1e8cc7c56498fb1f9c71cc84cc6b5fca5a12c703a35cb16c0cff48eb90b315c
-
SSDEEP
1536:EoD1Mth9MRwaeb4hSFqmOoy8grJKmVcl:EoD1MthMwaeb4G4ocNK8Y
Malware Config
Extracted
asyncrat
0.5.6D
Default
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
sdjacffkienmtfsm
-
delay
9
-
install
true
-
install_file
firfafox.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023ca7-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe -
Executes dropped EXE 1 IoCs
pid Process 4984 firfafox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3984 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe Token: SeDebugPrivilege 4984 firfafox.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1088 wrote to memory of 3916 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 86 PID 1088 wrote to memory of 3916 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 86 PID 1088 wrote to memory of 2636 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 88 PID 1088 wrote to memory of 2636 1088 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 88 PID 3916 wrote to memory of 4028 3916 cmd.exe 90 PID 3916 wrote to memory of 4028 3916 cmd.exe 90 PID 2636 wrote to memory of 3984 2636 cmd.exe 91 PID 2636 wrote to memory of 3984 2636 cmd.exe 91 PID 2636 wrote to memory of 4984 2636 cmd.exe 93 PID 2636 wrote to memory of 4984 2636 cmd.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd /tr '"C:\Users\Admin\AppData\Roaming\firfafox.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd /tr '"C:\Users\Admin\AppData\Roaming\firfafox.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB10.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3984
-
-
C:\Users\Admin\AppData\Roaming\firfafox.exe"C:\Users\Admin\AppData\Roaming\firfafox.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c840622691cda33e922479805aa76b6a
SHA154a1f4640df08d54afcf94eb3b307b9de8f0f2cf
SHA2563a2beac66d13ebc6e02451109b43358a1906f41b26effbf3e029e13e3a7c4442
SHA51275091bcf6e1b79709e31bf9ab4e3ff9ff2b495f9cdc780145f514485625c422c4343aa61892c610e8c63c3ff81b901f37fa8e52d87e971bc325b4e6ef4231726
-
Filesize
72KB
MD583e4f77cae137c7bff6a24007930ea56
SHA145139cb5e3d5dfde3a190481623a66cb6716e1af
SHA2563aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd
SHA512a57d5d62a74a6d948db770f51497985b170c761f8c7ad849c9e6d8de902def26f1e8cc7c56498fb1f9c71cc84cc6b5fca5a12c703a35cb16c0cff48eb90b315c