Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 11:09
Static task
static1
Behavioral task
behavioral1
Sample
11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
11cb4eb10453d144006a6f84d2a3048b
-
SHA1
7967a0d2b34c4b86be783b8ce3b4c51691fafba3
-
SHA256
d901e7642ce6df81c42f02571068de58a2955e5c299be950c0746f868a9399ec
-
SHA512
03c33268b60eb9bf6b96acfafd64ef5ef5cca2e99ab05c31d93779afcb5ba9c88ce7b952f6a06f8127216b29ba275ec954fb126087ca63723a93f0abd0dc1572
-
SSDEEP
24576:BbCrhfsSO6omIC13GWK5m0c4RWj0KmSFe6In4uBCqGCLSrWbk:Bb0hkS2bCFSwgRWj0s2oqpZk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Service.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Update\\winupdate.exe" Service.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Service.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
Service.exepid process 3016 Service.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
notepad.exeService.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Update\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Update\\winupdate.exe" Service.exe -
Drops file in System32 directory 4 IoCs
Processes:
Service.exenotepad.exedescription ioc process File created C:\Windows\SysWOW64\Update\winupdate.exe Service.exe File opened for modification C:\Windows\SysWOW64\Update\winupdate.exe Service.exe File opened for modification C:\Windows\SysWOW64\Update\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Update\ Service.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Service.exedescription pid process target process PID 3016 set thread context of 2464 3016 Service.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeService.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Service.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Service.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
Service.exeexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 3016 Service.exe Token: SeSecurityPrivilege 3016 Service.exe Token: SeTakeOwnershipPrivilege 3016 Service.exe Token: SeLoadDriverPrivilege 3016 Service.exe Token: SeSystemProfilePrivilege 3016 Service.exe Token: SeSystemtimePrivilege 3016 Service.exe Token: SeProfSingleProcessPrivilege 3016 Service.exe Token: SeIncBasePriorityPrivilege 3016 Service.exe Token: SeCreatePagefilePrivilege 3016 Service.exe Token: SeBackupPrivilege 3016 Service.exe Token: SeRestorePrivilege 3016 Service.exe Token: SeShutdownPrivilege 3016 Service.exe Token: SeDebugPrivilege 3016 Service.exe Token: SeSystemEnvironmentPrivilege 3016 Service.exe Token: SeChangeNotifyPrivilege 3016 Service.exe Token: SeRemoteShutdownPrivilege 3016 Service.exe Token: SeUndockPrivilege 3016 Service.exe Token: SeManageVolumePrivilege 3016 Service.exe Token: SeImpersonatePrivilege 3016 Service.exe Token: SeCreateGlobalPrivilege 3016 Service.exe Token: 33 3016 Service.exe Token: 34 3016 Service.exe Token: 35 3016 Service.exe Token: SeIncreaseQuotaPrivilege 2464 explorer.exe Token: SeSecurityPrivilege 2464 explorer.exe Token: SeTakeOwnershipPrivilege 2464 explorer.exe Token: SeLoadDriverPrivilege 2464 explorer.exe Token: SeSystemProfilePrivilege 2464 explorer.exe Token: SeSystemtimePrivilege 2464 explorer.exe Token: SeProfSingleProcessPrivilege 2464 explorer.exe Token: SeIncBasePriorityPrivilege 2464 explorer.exe Token: SeCreatePagefilePrivilege 2464 explorer.exe Token: SeBackupPrivilege 2464 explorer.exe Token: SeRestorePrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeDebugPrivilege 2464 explorer.exe Token: SeSystemEnvironmentPrivilege 2464 explorer.exe Token: SeChangeNotifyPrivilege 2464 explorer.exe Token: SeRemoteShutdownPrivilege 2464 explorer.exe Token: SeUndockPrivilege 2464 explorer.exe Token: SeManageVolumePrivilege 2464 explorer.exe Token: SeImpersonatePrivilege 2464 explorer.exe Token: SeCreateGlobalPrivilege 2464 explorer.exe Token: 33 2464 explorer.exe Token: 34 2464 explorer.exe Token: 35 2464 explorer.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exeService.exeexplorer.exedescription pid process target process PID 2924 wrote to memory of 3016 2924 11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe Service.exe PID 2924 wrote to memory of 3016 2924 11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe Service.exe PID 2924 wrote to memory of 3016 2924 11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe Service.exe PID 2924 wrote to memory of 3016 2924 11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe Service.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2720 3016 Service.exe notepad.exe PID 3016 wrote to memory of 2464 3016 Service.exe explorer.exe PID 3016 wrote to memory of 2464 3016 Service.exe explorer.exe PID 3016 wrote to memory of 2464 3016 Service.exe explorer.exe PID 3016 wrote to memory of 2464 3016 Service.exe explorer.exe PID 3016 wrote to memory of 2464 3016 Service.exe explorer.exe PID 3016 wrote to memory of 2464 3016 Service.exe explorer.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe PID 2464 wrote to memory of 2584 2464 explorer.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Service.exe"C:\Users\Admin\AppData\Local\Temp\Service.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Service.exeFilesize
691KB
MD5081581fef9e34526d9c6eedc9cf694ba
SHA102a8949097003d4998e1a2cfe71956ea913d5671
SHA256a51af90af9a2b35cbf5b6baaeadfed634ac2ff3956586f5fa2e59936f75aeeb2
SHA5120384a11f4e80487ad5aa514b02423cfb278b54b2795be405a435ae056b43048b7bb3e3680ff23b1060a0050cc5b476a80f327d74661e0103f4935e3912bed9b3
-
memory/2464-55-0x0000000013140000-0x00000000131FE000-memory.dmpFilesize
760KB
-
memory/2464-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2464-53-0x0000000013140000-0x00000000131FE000-memory.dmpFilesize
760KB
-
memory/2464-50-0x0000000013140000-0x00000000131FE000-memory.dmpFilesize
760KB
-
memory/2720-14-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2720-45-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2924-3-0x000007FEF5770000-0x000007FEF610D000-memory.dmpFilesize
9.6MB
-
memory/2924-0-0x000007FEF5A2E000-0x000007FEF5A2F000-memory.dmpFilesize
4KB
-
memory/2924-2-0x000007FEF5770000-0x000007FEF610D000-memory.dmpFilesize
9.6MB
-
memory/2924-1-0x000007FEF5770000-0x000007FEF610D000-memory.dmpFilesize
9.6MB
-
memory/2924-97-0x000007FEF5A2E000-0x000007FEF5A2F000-memory.dmpFilesize
4KB
-
memory/2924-98-0x000007FEF5770000-0x000007FEF610D000-memory.dmpFilesize
9.6MB
-
memory/3016-11-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/3016-54-0x0000000013140000-0x00000000131FE000-memory.dmpFilesize
760KB