Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 21:28
Behavioral task
behavioral1
Sample
03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exe
-
Size
492KB
-
MD5
03e8d330abc77a6a9d635d2e7c0e213a
-
SHA1
f4215465ea2368922d8f47357ced112e10b2c6d9
-
SHA256
6aa24766ff48239eed0ec20a8c2e05704650e73de941470cc053e1000bea6470
-
SHA512
58aa3c017d3e5202b6a0f3f3040ba265e62f5ec5fbaab3330583ad71d88aceefab94cd87e7abcf9c936c01316b0750b5ba629df1e0b5504dd006261ea0bc4314
-
SSDEEP
6144:l2FtkbtQmb25Zh18hqJbDqSB7Lvq2XsjYiVmOf7Yp4jOa9Upm:l2FtkmmCVRtPvq2+d/
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
net.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" net.exe -
Executes dropped EXE 2 IoCs
Processes:
temp.exenet.exepid process 1632 temp.exe 2556 net.exe -
Loads dropped DLL 2 IoCs
Processes:
03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exesvchost.exepid process 824 03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exe 2612 svchost.exe -
Drops file in System32 directory 10 IoCs
Processes:
sysprep.exesvchost.exenet.exedescription ioc process File opened for modification C:\Windows\system32\sysprep\Panther\diagwrn.xml sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\setupact.log sysprep.exe File opened for modification C:\Windows\SysWOW64\system_t.dll svchost.exe File opened for modification C:\Windows\SysWOW64\dnlist.ini svchost.exe File opened for modification C:\Windows\system32\sysprep\Panther\setuperr.log sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\diagerr.xml sysprep.exe File created C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll net.exe File created C:\Windows\SysWOW64\system_t.dll svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\SysWOW64\enumfs.ini svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
net.exesvchost.exedescription ioc process File created C:\Windows\system\config_t.dat net.exe File opened for modification C:\Windows\system\config_t.dat net.exe File opened for modification C:\Windows\system\config_t.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1444 ipconfig.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-e3-bc-f6-08-2c\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3336CDC6-A9D1-4922-8D70-2DAF5964B1B4}\aa-e3-bc-f6-08-2c svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-e3-bc-f6-08-2c\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0039000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3336CDC6-A9D1-4922-8D70-2DAF5964B1B4}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3336CDC6-A9D1-4922-8D70-2DAF5964B1B4}\WpadNetworkName = "Network 3" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-e3-bc-f6-08-2c svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-e3-bc-f6-08-2c\WpadDecisionTime = 60cd0b53ebc4da01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3336CDC6-A9D1-4922-8D70-2DAF5964B1B4}\WpadDecisionTime = 60cd0b53ebc4da01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3336CDC6-A9D1-4922-8D70-2DAF5964B1B4}\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3336CDC6-A9D1-4922-8D70-2DAF5964B1B4} svchost.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
temp.exesvchost.exepid process 1632 temp.exe 2612 svchost.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exetemp.exeExplorer.EXEsysprep.exesvchost.exedescription pid process target process PID 824 wrote to memory of 1632 824 03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exe temp.exe PID 824 wrote to memory of 1632 824 03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exe temp.exe PID 824 wrote to memory of 1632 824 03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exe temp.exe PID 824 wrote to memory of 1632 824 03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exe temp.exe PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1632 wrote to memory of 1380 1632 temp.exe Explorer.EXE PID 1380 wrote to memory of 2644 1380 Explorer.EXE sysprep.exe PID 1380 wrote to memory of 2644 1380 Explorer.EXE sysprep.exe PID 1380 wrote to memory of 2644 1380 Explorer.EXE sysprep.exe PID 2644 wrote to memory of 2556 2644 sysprep.exe net.exe PID 2644 wrote to memory of 2556 2644 sysprep.exe net.exe PID 2644 wrote to memory of 2556 2644 sysprep.exe net.exe PID 2644 wrote to memory of 2556 2644 sysprep.exe net.exe PID 2612 wrote to memory of 1444 2612 svchost.exe ipconfig.exe PID 2612 wrote to memory of 1444 2612 svchost.exe ipconfig.exe PID 2612 wrote to memory of 1444 2612 svchost.exe ipconfig.exe PID 2612 wrote to memory of 1444 2612 svchost.exe ipconfig.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03e8d330abc77a6a9d635d2e7c0e213a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp.exe"C:\Users\Admin\AppData\Local\Temp\temp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sysprep\sysprep.exe"C:\Windows\system32\sysprep\sysprep.exe" "C:\Users\Admin\AppData\Local\Temp\net.exe" "C:\Windows\system32" ""2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\net.exe"C:\Users\Admin\AppData\Local\Temp\net.exe"3⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all2⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\net.exeFilesize
245KB
MD59c544da8c23826379d60581cce17a483
SHA1c74ade21364fdcc749186772eaa8369725a9d82c
SHA256b94e9f69e5f953bab705ddfea8ddaa81906b0396e97e4320078f8b73c2cc8f5f
SHA512a1e1cf02ea00d20b0ec2456de931a8d0cd380e24c21554366956e2917865bece78a6881b262f17dc3ec33111678ec6c0bad4d13aba7112635e68a530c33f51d0
-
C:\Windows\SysWOW64\dnlist.iniFilesize
60B
MD58bd9ed41e49737e3fd9d643234bc83d6
SHA106ec8d1b7e7cc883d1cf480396866d6d8cc28fda
SHA256fcd21ad1c1bbd425b1379e08b918886c01f8b3b0718e165a70f701e11c7bd202
SHA5129b2817e3483850c66ba7a2c152113f5a797fb23d4d02cc1922ed4a2feef15b7c526a77e9b652f0a4f01c7a0c021cb5ec1a27445fff2754552f3a870a2a262e2f
-
C:\Windows\SysWOW64\system_t.dllFilesize
817B
MD5d53a756aabe7549926e7e87dbaf0f432
SHA1b0cd640e86867ebc2e7654b28ce731104441e078
SHA25608fbad71f74ddcc23a870ec99b3bc73e79cf801a68e2b52c629517abfb8f9f1d
SHA512be8676afd15878219694eb260069bf66fb28e11b52a06a94674c05512df5bba07d66210949d8fdd316c6f6a41018360e07334adec8592da8b5b12f91c52a2af6
-
C:\Windows\system\config_t.datFilesize
194B
MD5d24e6d2a05ae2b0c64d3829a7a99a9de
SHA14be3138a0340c398872bc4275a1a8a2afbb0b9c0
SHA25630447cc2de804936027a3448b3df6c8e6c21d3a23430cda95a2f3bee30566cff
SHA512e7b2d7967f673cf76c1076eaa1b327d0488b874c49f0f78a3a5a94dc8a2b31eef5911a1cd1a1e9bcf92f97e07f4221930f83540f0d37bcd79986e24f2aea2fa2
-
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dllFilesize
200KB
MD5150a2c1b800c6370f9c8a3781568ef83
SHA16cc2aed29b672b7026c0fabd3285984488aaeaf3
SHA256e5f0e0a014e19a8aef99286e6bfd04b7c1258f5a2a5ce2b3ef5d96ec0ac60be3
SHA51254ffa28ccfcfe3f16078a4a7eaf8f9b10718082bbdb5148c0a2219ff556002105e49c3e88605ef11bbab45f0a704777c10195bfbe93179d6d27c616ea7b37538
-
\Users\Admin\AppData\Local\Temp\temp.exeFilesize
86KB
MD5425609a2c35081730982a01d72a76cbe
SHA164f95fe985a7ef7ee4f396e36279aa31498ac3cc
SHA256e03145fefe7fef82c2a476d7dec03305d7da79cd3c8fe1578177580175febbd3
SHA5126ede1415ac51d588a71bfb5697a599eb777e9530240b7a3524626d2a230bb51017c9b3d05923c5cb41800cca9818f2d99484310390a0425ef8e48984c4c9cfd4
-
memory/1380-28-0x0000000004210000-0x0000000004211000-memory.dmpFilesize
4KB
-
memory/1380-13-0x0000000004040000-0x0000000004041000-memory.dmpFilesize
4KB
-
memory/1380-7-0x0000000002A40000-0x0000000002A41000-memory.dmpFilesize
4KB