Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-01-2025 11:00
General
-
Target
JaffaCakes118_a7f4b80020aeb7b9520a14d71db373fd.exe
-
Size
854KB
-
MD5
a7f4b80020aeb7b9520a14d71db373fd
-
SHA1
66d1f6d50510940ba6f3e16360df402300db2d88
-
SHA256
7756fa478a5463d5abca6d3989c2c4251446803dc4ed1b0a9f69e60358f966cb
-
SHA512
4e5b2a2ca18e3800c7681f80639955a017c3312e7f612880007f72e8603b24bbaa6fb4df5ecbc7503227ca99a795915dc8a89e141f2e87716e2a202f56dccdea
-
SSDEEP
12288:ljeMYfumEQVCZ+03R7LpjR1qGd+N0+j6HurTik77nGJQWMpnXxcq029iA:lhNPj1pjR1qGN+j6G+OSe5pnXxb029
Malware Config
Signatures
-
UAC bypass 3 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 17 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a7f4b80020aeb7b9520a14d71db373fd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a7f4b80020aeb7b9520a14d71db373fd.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Netsh.exe"Netsh" Advfirewall set Currentprofile State off3⤵
- Modifies Windows Firewall
- Loads dropped DLL
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 10164⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 4965⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 12204⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Furzmaschine Pro.exe"C:\Users\Admin\AppData\Local\Temp\Furzmaschine Pro.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\furtzpro.exe"C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\furtzpro.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SYSTEM32\Netsh.exe"Netsh" Advfirewall set Currentprofile State off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4916 -ip 49161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 840 -ip 8401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 9121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 912 -ip 9121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 912 -ip 9121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 840 -ip 8401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 840 -ip 8401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4916 -ip 49161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2512 -ip 25121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2512 -ip 25121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2512 -ip 25121⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
492KB
MD57d232986f0c7a2dd9ea13a486b80f7d8
SHA187a69e35bf522e3fc9b457ae64bc68b9a5a816c7
SHA256c1b363824f411c78259109f86f22da0847be527adc5012d466485c757fcded46
SHA512b608a24f65ab1791ca8b162b7901f97be83dbefeada2ed5f08ec429d7b95e52129201cb11631ebb8bc4e03c74f2466db831c93a80961b3ad39c13d6dfcd3f050
-
Filesize
553KB
MD59d55b51dad288fc6e44e6983677c699d
SHA182754b94ea643314906ebb8941c91b0deaa41612
SHA25682517e561ed54fcc47ae29e04c7cd2c16a6ab1ee50aead2c09dc85a67fa890e1
SHA512ced36a803caf48be14423a070a0768b020a9fc17b12bfc8db91df789c5184dd4e4d215b6862b4e1cbdf560df64d4e63c8f6abbb599ce92662f49a7f72fa092eb
-
Filesize
21KB
MD5ac2d8c4a58be8a310cbb27e7a0e6ce6a
SHA14afce7899019de87021258f9e81240a5e0528966
SHA25608aa4532aeb894a7014d15d829a255c7727369120e21d8653fd17144454bd650
SHA512241b836ded1c958efc37d4511b988ab2c1753db1af053fc16e96ce3b8d08da7c3d17474d9d318cdf1b426c65ad61bc9a7fe2aceb51635e66274a8cb8a02d6af5
-
Filesize
345KB
MD58d40a2c4e20621445c709f82df07877d
SHA10db949f3deef52224cdcc8b593c7ad1cbec38833
SHA256f330acad894d76cb1e03ef09318884639089e85aa3a77156f5be62ca50dacdf0
SHA512276f83522a847fb0169e994a9fdc7d473df73aa1283ab50561c470d99d7d88b71be9d051b31eb25ea08b5e14549b47120fc9f401d1637781ee1baee3b4e459bd
-
Filesize
583B
MD50798d7c257f6f2922d1b6b6da5824696
SHA19dadbc32af458e7ff9a4ff2cca5abe82be928ced
SHA2566f823d3fffdf9137f7d393636fdee5ccb3aaa198f66c766cf4360a51338b2b35
SHA51272fea39a2ea321b0c52ae4fe441ab8c744215f2d123e36fc377cfc3c3ea97555629c04cdf00f7d07f542eb475b867fcea08d93696ed6a0b7c814827e7833ba93
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
160KB
-
Filesize
32KB
-
Filesize
392KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
64KB