Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 13:51
Behavioral task
behavioral1
Sample
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
-
Size
105KB
-
MD5
08e5352a2416bd32a1c07f2d6c2f11fa
-
SHA1
75a8054ee4939564fb90ccc654f0cfa9afe062c7
-
SHA256
aceca16c33ae8a73b1fd7699a8317d70d164df9744cb7e494834b9c1e457a768
-
SHA512
db1268b7f11726d9fae2d143757bec5c1497710cc97f3561cdf6dbd5cdd97aef7da2f1fbbbf6819b520e01a85e83775817d051812bcfcf5850dd534532ffc2af
-
SSDEEP
1536:2FmExUd6hs8reTaBElUWasAYHx0OyZ206LM9YZALMwVw:2nohCWasXxb0T9YZ3we
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" reg.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 2020 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exe08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\SysWOW64\enumfs.ini svchost.exe File opened for modification C:\Windows\SysWOW64\dnlist.ini svchost.exe File created C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe File created C:\Windows\SysWOW64\system_t.dll svchost.exe File opened for modification C:\Windows\SysWOW64\system_t.dll svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exesvchost.exedescription ioc process File created C:\Windows\system\config_t.dat 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe File opened for modification C:\Windows\system\config_t.dat 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe File opened for modification C:\Windows\system\config_t.dat svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1996 ipconfig.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadNetworkName = "Network 2" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\3e-be-35-c3-05-ad svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad\WpadDecisionTime = 10eb52d63dc6da01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5} svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadDecisionTime = 10eb52d63dc6da01 svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svchost.exepid process 2020 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.execmd.exesvchost.exedescription pid process target process PID 2548 wrote to memory of 1148 2548 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe cmd.exe PID 2548 wrote to memory of 1148 2548 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe cmd.exe PID 2548 wrote to memory of 1148 2548 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe cmd.exe PID 2548 wrote to memory of 1148 2548 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe cmd.exe PID 1148 wrote to memory of 3056 1148 cmd.exe reg.exe PID 1148 wrote to memory of 3056 1148 cmd.exe reg.exe PID 1148 wrote to memory of 3056 1148 cmd.exe reg.exe PID 1148 wrote to memory of 3056 1148 cmd.exe reg.exe PID 2020 wrote to memory of 1996 2020 svchost.exe ipconfig.exe PID 2020 wrote to memory of 1996 2020 svchost.exe ipconfig.exe PID 2020 wrote to memory of 1996 2020 svchost.exe ipconfig.exe PID 2020 wrote to memory of 1996 2020 svchost.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll3⤵
- Server Software Component: Terminal Services DLL
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all2⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\net.batFilesize
211B
MD5dde99ab936da8cbda74ea779ef0b2e67
SHA11e27e432e0b7c81b990b92595daebdf0539efea4
SHA256ab6da77270cb63c49d1d12e854850e882d03f41ce48782e98c81bcede0c9ad80
SHA51262a124172d34dc56d00328b45ac13a029c847c2b7e2843ec38270a7c4d813b68b7d66b9a8ef80b8adfa7b1a894f36b5f8c6365fa5551c35939c0b76cd4439437
-
C:\Windows\SysWOW64\dnlist.iniFilesize
60B
MD5c3bacb90e99eba817ab09df0d0ef20c6
SHA1fe4e99571d73151583f7df9b38007324da49e2ef
SHA256b99d78b6de211146fb5ab7786a873cc8429651c09e85b42ff78158219deaf79c
SHA5125ca86a92927b7caf4b8d78c09f53a9fe2579f402140b38f42e47467e56a4156e4bf77bcae03fa626d75c1e274b9189a1d5e4da38836e601c0e602df075f61f12
-
C:\Windows\SysWOW64\system_t.dllFilesize
793B
MD5979276ecec3adb586f8d16f3c0ad4428
SHA1d169893974ecf4b3df8ea8fabfb89a6b7bb57abf
SHA25614b14ad3b862040d24eec3d618a0d84ed46af6ec748eb2c404df2ec68fb66d3f
SHA5124c7d744be072b8283d16eb26b5840a5c4348c72f0249709c5659a334770ee7cff574602c1ff42f1fe85df0e3aec49a36d0be58888b0ce49bc18497f5c19f1751
-
C:\Windows\system\config_t.datFilesize
204B
MD5a61b9e59164fb9d6e0f05e105e6fb9e4
SHA14dbfddb484c5a4bcd66ee75f06dfc0f4554d4e0d
SHA25604c72340297fb4311263156c9923e170a577694d5d5dd3ff9ff39ea6077d0e36
SHA5125a8f19a863c10182fffbcbfc3928c5b9867b1c21ef671483b835964923ace544a269ddb53a247cf4346716a48002436cff8fb56f853c59e7625948f1e9691178
-
C:\Windows\system\config_t.datFilesize
142B
MD59ddb656796bb7d9ad7e3fdb19e50f4df
SHA13cbd7ed350a3b1a6d721355f3bf1987a7397c556
SHA25691b75374e15df2be1b82e68b1fc303724cc30e6976aa2b6d0f75e59dfafc50f6
SHA512210d5389ebc24449778c3801b304bc4759d5337570554cf782b045f11bd5e0bc54ce392d338416d1505385c28916b2c2c619d87aeb5787d5c5c10d02ec9bb04b
-
\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dllFilesize
53KB
MD5bff5561677a647c314446e6daa509beb
SHA1ea52a1a5b15a13bee44cdbfe97beb9c0a4cecc32
SHA25691baeec8fa63fbfb7cc0b3e441b438edc6e156fc0ab18a56c7bb6c5df3045048
SHA512470973e51649968a0298e46883f5bc9f38d440d7376b6f8b6f6e191f19c5af7f78544a80a90dd218fc6871d519ecdf1735499f3e209b8d103a1c981edf07787b