Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 13:51
Behavioral task
behavioral1
Sample
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
-
Size
105KB
-
MD5
08e5352a2416bd32a1c07f2d6c2f11fa
-
SHA1
75a8054ee4939564fb90ccc654f0cfa9afe062c7
-
SHA256
aceca16c33ae8a73b1fd7699a8317d70d164df9744cb7e494834b9c1e457a768
-
SHA512
db1268b7f11726d9fae2d143757bec5c1497710cc97f3561cdf6dbd5cdd97aef7da2f1fbbbf6819b520e01a85e83775817d051812bcfcf5850dd534532ffc2af
-
SSDEEP
1536:2FmExUd6hs8reTaBElUWasAYHx0OyZ206LM9YZALMwVw:2nohCWasXxb0T9YZ3we
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" reg.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1524 svchost.exe -
Drops file in System32 directory 5 IoCs
Processes:
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe File created C:\Windows\SysWOW64\system_t.dll svchost.exe File opened for modification C:\Windows\SysWOW64\system_t.dll svchost.exe File created C:\Windows\SysWOW64\enumfs.ini svchost.exe File opened for modification C:\Windows\SysWOW64\dnlist.ini svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exesvchost.exedescription ioc process File created C:\Windows\system\config_t.dat 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe File opened for modification C:\Windows\system\config_t.dat 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe File opened for modification C:\Windows\system\config_t.dat svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3392 ipconfig.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchost.exepid process 1524 svchost.exe 1524 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.execmd.exesvchost.exedescription pid process target process PID 4176 wrote to memory of 3608 4176 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe cmd.exe PID 4176 wrote to memory of 3608 4176 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe cmd.exe PID 4176 wrote to memory of 3608 4176 08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe cmd.exe PID 3608 wrote to memory of 2472 3608 cmd.exe reg.exe PID 3608 wrote to memory of 2472 3608 cmd.exe reg.exe PID 3608 wrote to memory of 2472 3608 cmd.exe reg.exe PID 1524 wrote to memory of 3392 1524 svchost.exe ipconfig.exe PID 1524 wrote to memory of 3392 1524 svchost.exe ipconfig.exe PID 1524 wrote to memory of 3392 1524 svchost.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll3⤵
- Server Software Component: Terminal Services DLL
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all2⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\net.batFilesize
211B
MD5dde99ab936da8cbda74ea779ef0b2e67
SHA11e27e432e0b7c81b990b92595daebdf0539efea4
SHA256ab6da77270cb63c49d1d12e854850e882d03f41ce48782e98c81bcede0c9ad80
SHA51262a124172d34dc56d00328b45ac13a029c847c2b7e2843ec38270a7c4d813b68b7d66b9a8ef80b8adfa7b1a894f36b5f8c6365fa5551c35939c0b76cd4439437
-
C:\Windows\SysWOW64\dnlist.iniFilesize
60B
MD5c3bacb90e99eba817ab09df0d0ef20c6
SHA1fe4e99571d73151583f7df9b38007324da49e2ef
SHA256b99d78b6de211146fb5ab7786a873cc8429651c09e85b42ff78158219deaf79c
SHA5125ca86a92927b7caf4b8d78c09f53a9fe2579f402140b38f42e47467e56a4156e4bf77bcae03fa626d75c1e274b9189a1d5e4da38836e601c0e602df075f61f12
-
C:\Windows\SysWOW64\enumfs.iniFilesize
62B
MD561ce2d6472694de11b077a557065c911
SHA1174600480ef52e775821467d289f1c2c6c7a7a43
SHA256d8e6d2a7f536cb1a4e0ddba96073849f264a489deadfd7edbe4425924cdbbd61
SHA5121b62b4dc93cdf14b52681570d97b87038040f3f8a04ad355c80784d0d90bf2b6d5d25ecc27196fd1566e0bedd110f9c395e7a2f465bad39fec240e94de2a41c2
-
C:\Windows\SysWOW64\system_t.dllFilesize
1KB
MD5ed7d77053c329a4a938260ec8a0cd3d3
SHA13d6697de16eb6aadc19a519759ba03567d52a0e1
SHA256b98b0089a648f39d94b0c4ab568931965b918181616bd98a122c582f64f27fab
SHA51223c095f06a98a0e184c2a12bf224534f7b92697bcfdd0ea7aad26831256adfc7c3a36e9af892f5bea5bc80add15e8df29372b1a7c30df82e46d06bc397e29c36
-
C:\Windows\System\config_t.datFilesize
142B
MD59ddb656796bb7d9ad7e3fdb19e50f4df
SHA13cbd7ed350a3b1a6d721355f3bf1987a7397c556
SHA25691b75374e15df2be1b82e68b1fc303724cc30e6976aa2b6d0f75e59dfafc50f6
SHA512210d5389ebc24449778c3801b304bc4759d5337570554cf782b045f11bd5e0bc54ce392d338416d1505385c28916b2c2c619d87aeb5787d5c5c10d02ec9bb04b
-
C:\Windows\system\config_t.datFilesize
186B
MD5623bd7dce6a349545c890a17f18fb88d
SHA1e0b3634aee490367844785469833101aa0fa29fd
SHA2569230503e7b768ea4843c78ec22231b9c95af9c51a8112c3a935552761733adc7
SHA512fe301a1ea4c026e978d60d03c087c9f08227fafe6b44fe52d8c0f3e0da79b85124527025a2ea9077fc497794d971f2687bfea9aec37be0a54b4e15f29aee6f86
-
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dllFilesize
53KB
MD5bff5561677a647c314446e6daa509beb
SHA1ea52a1a5b15a13bee44cdbfe97beb9c0a4cecc32
SHA25691baeec8fa63fbfb7cc0b3e441b438edc6e156fc0ab18a56c7bb6c5df3045048
SHA512470973e51649968a0298e46883f5bc9f38d440d7376b6f8b6f6e191f19c5af7f78544a80a90dd218fc6871d519ecdf1735499f3e209b8d103a1c981edf07787b