Analysis
-
max time kernel
145s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe
-
Size
244KB
-
MD5
8ac23acbc2511e0b4d46648faebbb7a8
-
SHA1
1dee5f2bc0073d83b329fbd3961c0f7b0174ac49
-
SHA256
f56407bc63e47ab020c06bd7f6de96dc60590a4fd274ec060d4283b471add83a
-
SHA512
48ddb6a9a03b245c06b8bd6be2d86f0833b2c335ba8321b54d1e154e9d774f70db08ef41a939152fd03a537fb19b0457943ad540b8b3879d0d0abce7174edb46
-
SSDEEP
6144:z3P2nGsTc9fNtHynneSaGBGu7Bj5bennnnnnnnnnn:TPWGfVSnneEBJFjB
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4440 set thread context of 4720 4440 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4720 set thread context of 4676 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1781E274-0BE2-11F0-AA58-7219D7A672FE} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449937588" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe Token: SeDebugPrivilege 4048 IEXPLORE.EXE Token: SeDebugPrivilege 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4748 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4440 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 4748 IEXPLORE.EXE 4748 IEXPLORE.EXE 4048 IEXPLORE.EXE 4048 IEXPLORE.EXE 4048 IEXPLORE.EXE 4048 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4440 wrote to memory of 4720 4440 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4440 wrote to memory of 4720 4440 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4440 wrote to memory of 4720 4440 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4440 wrote to memory of 4720 4440 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4440 wrote to memory of 4720 4440 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4440 wrote to memory of 4720 4440 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4440 wrote to memory of 4720 4440 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4440 wrote to memory of 4720 4440 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4720 wrote to memory of 4676 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 93 PID 4720 wrote to memory of 4676 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 93 PID 4720 wrote to memory of 4676 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 93 PID 4720 wrote to memory of 4676 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 93 PID 4720 wrote to memory of 4676 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 93 PID 4720 wrote to memory of 4676 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 93 PID 4720 wrote to memory of 4676 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 93 PID 4720 wrote to memory of 4676 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 93 PID 4720 wrote to memory of 4676 4720 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 93 PID 4676 wrote to memory of 4728 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 97 PID 4676 wrote to memory of 4728 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 97 PID 4676 wrote to memory of 4728 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 97 PID 4728 wrote to memory of 4748 4728 iexplore.exe 98 PID 4728 wrote to memory of 4748 4728 iexplore.exe 98 PID 4748 wrote to memory of 4048 4748 IEXPLORE.EXE 99 PID 4748 wrote to memory of 4048 4748 IEXPLORE.EXE 99 PID 4748 wrote to memory of 4048 4748 IEXPLORE.EXE 99 PID 4676 wrote to memory of 4720 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4676 wrote to memory of 4720 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 92 PID 4676 wrote to memory of 4048 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 99 PID 4676 wrote to memory of 4048 4676 JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac23acbc2511e0b4d46648faebbb7a8.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4048
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD50c5ef9158dcdd3b41a7e84c5e760b59d
SHA19cb930588b30e4399d0fbf73a559b2d89373a6a9
SHA25695c2b916d5668f7823fc9222d4cac008570c4f1866a3ef2b4175cb1ea5bbd9d9
SHA51213cf19b192d4b6365ab09e13b5ffc6c26470ff51527d8e49fad7aa410df5a7bc6557e731d5b49fa7c19cd9b677764422d2f57c10d2578cdfdf91cd1120db9c4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD55908915e6c64c9ffde47876732f34d0f
SHA17ea2692b90c37312ee995c31fb87e7d29c665039
SHA2564efa1b6affd7b05c44bc5101a8f935889f826d520528ecd2521e399f7191c655
SHA512d11ba356b6f07272a9c1c7214913a2acd179f8adee656464688d6cc6d158aa5a0be7701d0cfc872b6f02ac26c72434a418592c0828f4c4cc08c88d7961d62ec7
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee