Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 20:50

General

  • Target

    JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe

  • Size

    532KB

  • MD5

    43911114fe45fe2349eea1c3c5657bfd

  • SHA1

    3ce01eaf787a67fd84d31bee4eddbeaab0b239c9

  • SHA256

    371e7fce1fa40071ff8b99fa72a84f8697e26e8d43bc0932c9acc9ce4ba64a0d

  • SHA512

    e333fa0db5a206dcbe32e385905aa71b09d3f09fbff449a65a6e5ea607ed9ab424595666d8603a173987f257735620d92942a7b420fdee049b281c4261018d35

  • SSDEEP

    12288:D6onxOp8FySpE5zvIdtU+YmefStLpm1tT0:5wp8DozAdO9StLpwR0

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 28 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe
      "C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_43911114fe45fe2349eea1c3c5657bfd.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3048
      • C:\Users\Admin\AppData\Local\Temp\dcktv.exe
        "C:\Users\Admin\AppData\Local\Temp\dcktv.exe" "-C:\Users\Admin\AppData\Local\Temp\akdxkdpawhftlebb.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:1052
      • C:\Users\Admin\AppData\Local\Temp\dcktv.exe
        "C:\Users\Admin\AppData\Local\Temp\dcktv.exe" "-C:\Users\Admin\AppData\Local\Temp\akdxkdpawhftlebb.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:212
    • C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe
      "C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_43911114fe45fe2349eea1c3c5657bfd.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:116

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\eybfcfbwcxfdfipzmbeybf.fbw

          Filesize

          272B

          MD5

          9d971bb939383ead01574086c58ce0ff

          SHA1

          27395ad96b95e852c967153c81a269152e73d465

          SHA256

          0626436ccf6ca859ade4cc38becd95034974bb8cc82baa6e7f8e4324814420a5

          SHA512

          70d63ed496a0a2b2d1a918480251f1e21961f8d414657de4d1245fb00309c2b96e8f446ca1c07fb60c9e9818130da67979a8bac8a1d0a56e858924cf59d17872

        • C:\Program Files (x86)\eybfcfbwcxfdfipzmbeybf.fbw

          Filesize

          272B

          MD5

          27b709391b05c5cf4e6da762baabc203

          SHA1

          9d505cbbb0873d16d4434cbf025ebfd4ed7150f5

          SHA256

          147a8fd8bfbd0f97b2d55de2dd645ec8764bfca9d36fb574a313435b992fb70c

          SHA512

          3d19fd0b48cf4e1d387983a0cb717cdc4ad0f4abafdc19cdde3403cc049e3a5b42898e224421d2d894f3588dff5ff3dd3f829298d028fb29517f8b3002f1fba1

        • C:\Program Files (x86)\eybfcfbwcxfdfipzmbeybf.fbw

          Filesize

          272B

          MD5

          b66c695bb2bb585453d473dceaaad72d

          SHA1

          5cb54ee5022d8c8ee417c9929f41dac4ba2c91a8

          SHA256

          2f73bd73da235039c90a41510754276a90d1d04ed11e2b7f1a6b6b6354b2bc09

          SHA512

          8b47f35d83aab3e339a927d7fc6c1f62516e4fb46c2a321f06fd85742ab52fe59a1472797cf970f2ca5ec774c7e40610fbe4391bc4799ebbcab145744bebb5f4

        • C:\Program Files (x86)\eybfcfbwcxfdfipzmbeybf.fbw

          Filesize

          272B

          MD5

          925d5e78dfa6620e403d77b90773af6b

          SHA1

          2e4ba0659d14f44a3fc25bb4554462fc121ff815

          SHA256

          514b83d0d720f34d5ca5b3e13eafb6c2ef8c7cf58d20ef4307c661325d8aa042

          SHA512

          8c48c26af0561c71f803498c2d8090e3b2af087d97f6c38a5f14a192e8b75355ede05014f67d42ea7c0fa932a5cf76c85330e470342eb56b2c78401e604384a4

        • C:\Program Files (x86)\eybfcfbwcxfdfipzmbeybf.fbw

          Filesize

          272B

          MD5

          f9f2b68ce86061c2980f2cad14ccca00

          SHA1

          ae3452cb6bbf0376ab5ac9759c9e349ab79ae078

          SHA256

          8b402cc186592d185d8f709b8fd744b8a94d5380954d70ddaa3cbe65baeb4551

          SHA512

          82c5d7f8875a15a13d74ddd90ba9eb71486028ff4d8c32257a768bf6a6fa82baca28c2b686f5fde9ae898a0cb6a53049e3f6f25b79d3c670006f129330bdbc99

        • C:\Users\Admin\AppData\Local\Temp\dcktv.exe

          Filesize

          708KB

          MD5

          5b636d806943e2a0101554abbfe5becf

          SHA1

          69cba4316e8372a503597e5b5038262d3fa9e754

          SHA256

          f4bfd9762b293bb249923922549449a3f7de0098182bd4541420f3f681491be5

          SHA512

          fb11f42cb98ef9102c991525f198fa2794cfb7ada5c7264bdb7a9c31c8f51cb58532511a21c39b31b770c16154fe5e40c9ddc79d1a1b1515d9a2d9677ee8d378

        • C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe

          Filesize

          320KB

          MD5

          5203b6ea0901877fbf2d8d6f6d8d338e

          SHA1

          c803e92561921b38abe13239c1fd85605b570936

          SHA256

          0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

          SHA512

          d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

        • C:\Users\Admin\AppData\Local\eybfcfbwcxfdfipzmbeybf.fbw

          Filesize

          272B

          MD5

          806d5645e36e7f3af966ea55a45418a2

          SHA1

          ca67edc927759345fd3e3dfb1aead5ccb9d0b282

          SHA256

          ec3233b21e98d4c1ced09ba15218c6b8d5eae460eec66e0faefb2f230e51d0a6

          SHA512

          9f35bd114bc2b99b26d44fe3d0d70c805582f57f7bdd1c7fba860eae5c21e485b19667253cc1a523c6bc371d36c8716793f04905cd3c6f5b0f6ff57556f0e8ba

        • C:\Users\Admin\AppData\Local\eybfcfbwcxfdfipzmbeybf.fbw

          Filesize

          272B

          MD5

          a07907e60b5e38cdb25cb9e80bb8bfb9

          SHA1

          9658e6a1f5f5233482f540326a9c4b2e64e72d30

          SHA256

          150486e0062c1187df54d5c040964e0297ade2d19ca61a190799c0051372079f

          SHA512

          ba721d075471ea07aab1935b2b58ccbc75b762743d9458ef5e57a5290659530fb9b9b8b1df0dc191c045f1aa9aab368e06418e921a1abce51f22488f093c5049

        • C:\Users\Admin\AppData\Local\vaodlzgmdjclymezxxlqetbpwctzsbocu.nnb

          Filesize

          3KB

          MD5

          b0561fa601778d6e41b4f0820cd5039f

          SHA1

          2e9911dee7d4cb2d6443eb6a710ad2b1d3974a1f

          SHA256

          6b53702d7c7478c104028f07731d6d359654e5df11d64650cde14380584f70d2

          SHA512

          a3c87384ae2737e0ec378e8438e5b9fcd78b2d3f24f5dd18b1b2c50d29e38583c897357b2029d3d650a04ae5e1bb69942b22603809876b3d54adc3c1fba98dac

        • C:\Windows\SysWOW64\qcxtidrecppfzutvah.exe

          Filesize

          532KB

          MD5

          43911114fe45fe2349eea1c3c5657bfd

          SHA1

          3ce01eaf787a67fd84d31bee4eddbeaab0b239c9

          SHA256

          371e7fce1fa40071ff8b99fa72a84f8697e26e8d43bc0932c9acc9ce4ba64a0d

          SHA512

          e333fa0db5a206dcbe32e385905aa71b09d3f09fbff449a65a6e5ea607ed9ab424595666d8603a173987f257735620d92942a7b420fdee049b281c4261018d35

        • C:\aerfmzfkaf.bat

          Filesize

          656KB

          MD5

          84465679e7c3bce67dc2f0661fc0603d

          SHA1

          998d70d34c516273a7aa75094fe6d70b2977a4aa

          SHA256

          b484afebbad6e16ca5b6c811a56df01f1702487c5383bade79fa59cfdd7e5484

          SHA512

          858a33f20565b10dcd997a0f9c102963497912b3d3d2a9c87396e6d003030b311fff19d965ca8fd4f6c39ef1dff6bb9642cf74cffd332ed2030c91e86459ba0b