Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 11:09
Static task
static1
Behavioral task
behavioral1
Sample
11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
11cb4eb10453d144006a6f84d2a3048b
-
SHA1
7967a0d2b34c4b86be783b8ce3b4c51691fafba3
-
SHA256
d901e7642ce6df81c42f02571068de58a2955e5c299be950c0746f868a9399ec
-
SHA512
03c33268b60eb9bf6b96acfafd64ef5ef5cca2e99ab05c31d93779afcb5ba9c88ce7b952f6a06f8127216b29ba275ec954fb126087ca63723a93f0abd0dc1572
-
SSDEEP
24576:BbCrhfsSO6omIC13GWK5m0c4RWj0KmSFe6In4uBCqGCLSrWbk:Bb0hkS2bCFSwgRWj0s2oqpZk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Service.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Update\\winupdate.exe" Service.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Service.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
Service.exepid process 4384 Service.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Service.exenotepad.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Update\\winupdate.exe" Service.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Update\\winupdate.exe" notepad.exe -
Drops file in System32 directory 4 IoCs
Processes:
Service.exenotepad.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Update\winupdate.exe Service.exe File opened for modification C:\Windows\SysWOW64\Update\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Update\ Service.exe File created C:\Windows\SysWOW64\Update\winupdate.exe Service.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Service.exedescription pid process target process PID 4384 set thread context of 3368 4384 Service.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Service.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Service.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Service.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Service.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Service.exeexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 4384 Service.exe Token: SeSecurityPrivilege 4384 Service.exe Token: SeTakeOwnershipPrivilege 4384 Service.exe Token: SeLoadDriverPrivilege 4384 Service.exe Token: SeSystemProfilePrivilege 4384 Service.exe Token: SeSystemtimePrivilege 4384 Service.exe Token: SeProfSingleProcessPrivilege 4384 Service.exe Token: SeIncBasePriorityPrivilege 4384 Service.exe Token: SeCreatePagefilePrivilege 4384 Service.exe Token: SeBackupPrivilege 4384 Service.exe Token: SeRestorePrivilege 4384 Service.exe Token: SeShutdownPrivilege 4384 Service.exe Token: SeDebugPrivilege 4384 Service.exe Token: SeSystemEnvironmentPrivilege 4384 Service.exe Token: SeChangeNotifyPrivilege 4384 Service.exe Token: SeRemoteShutdownPrivilege 4384 Service.exe Token: SeUndockPrivilege 4384 Service.exe Token: SeManageVolumePrivilege 4384 Service.exe Token: SeImpersonatePrivilege 4384 Service.exe Token: SeCreateGlobalPrivilege 4384 Service.exe Token: 33 4384 Service.exe Token: 34 4384 Service.exe Token: 35 4384 Service.exe Token: 36 4384 Service.exe Token: SeIncreaseQuotaPrivilege 3368 explorer.exe Token: SeSecurityPrivilege 3368 explorer.exe Token: SeTakeOwnershipPrivilege 3368 explorer.exe Token: SeLoadDriverPrivilege 3368 explorer.exe Token: SeSystemProfilePrivilege 3368 explorer.exe Token: SeSystemtimePrivilege 3368 explorer.exe Token: SeProfSingleProcessPrivilege 3368 explorer.exe Token: SeIncBasePriorityPrivilege 3368 explorer.exe Token: SeCreatePagefilePrivilege 3368 explorer.exe Token: SeBackupPrivilege 3368 explorer.exe Token: SeRestorePrivilege 3368 explorer.exe Token: SeShutdownPrivilege 3368 explorer.exe Token: SeDebugPrivilege 3368 explorer.exe Token: SeSystemEnvironmentPrivilege 3368 explorer.exe Token: SeChangeNotifyPrivilege 3368 explorer.exe Token: SeRemoteShutdownPrivilege 3368 explorer.exe Token: SeUndockPrivilege 3368 explorer.exe Token: SeManageVolumePrivilege 3368 explorer.exe Token: SeImpersonatePrivilege 3368 explorer.exe Token: SeCreateGlobalPrivilege 3368 explorer.exe Token: 33 3368 explorer.exe Token: 34 3368 explorer.exe Token: 35 3368 explorer.exe Token: 36 3368 explorer.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exeService.exeexplorer.exedescription pid process target process PID 2752 wrote to memory of 4384 2752 11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe Service.exe PID 2752 wrote to memory of 4384 2752 11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe Service.exe PID 2752 wrote to memory of 4384 2752 11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe Service.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 4880 4384 Service.exe notepad.exe PID 4384 wrote to memory of 3368 4384 Service.exe explorer.exe PID 4384 wrote to memory of 3368 4384 Service.exe explorer.exe PID 4384 wrote to memory of 3368 4384 Service.exe explorer.exe PID 4384 wrote to memory of 3368 4384 Service.exe explorer.exe PID 4384 wrote to memory of 3368 4384 Service.exe explorer.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe PID 3368 wrote to memory of 4944 3368 explorer.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11cb4eb10453d144006a6f84d2a3048b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Service.exe"C:\Users\Admin\AppData\Local\Temp\Service.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Service.exeFilesize
691KB
MD5081581fef9e34526d9c6eedc9cf694ba
SHA102a8949097003d4998e1a2cfe71956ea913d5671
SHA256a51af90af9a2b35cbf5b6baaeadfed634ac2ff3956586f5fa2e59936f75aeeb2
SHA5120384a11f4e80487ad5aa514b02423cfb278b54b2795be405a435ae056b43048b7bb3e3680ff23b1060a0050cc5b476a80f327d74661e0103f4935e3912bed9b3
-
memory/2752-4-0x000000001C560000-0x000000001C5FC000-memory.dmpFilesize
624KB
-
memory/2752-31-0x00007FFD0C8F0000-0x00007FFD0D291000-memory.dmpFilesize
9.6MB
-
memory/2752-3-0x000000001BFD0000-0x000000001C49E000-memory.dmpFilesize
4.8MB
-
memory/2752-30-0x00007FFD0CBA5000-0x00007FFD0CBA6000-memory.dmpFilesize
4KB
-
memory/2752-5-0x00007FFD0C8F0000-0x00007FFD0D291000-memory.dmpFilesize
9.6MB
-
memory/2752-6-0x0000000001410000-0x0000000001418000-memory.dmpFilesize
32KB
-
memory/2752-2-0x00007FFD0C8F0000-0x00007FFD0D291000-memory.dmpFilesize
9.6MB
-
memory/2752-1-0x000000001BA50000-0x000000001BAF6000-memory.dmpFilesize
664KB
-
memory/2752-7-0x000000001C6C0000-0x000000001C70C000-memory.dmpFilesize
304KB
-
memory/2752-0-0x00007FFD0CBA5000-0x00007FFD0CBA6000-memory.dmpFilesize
4KB
-
memory/2752-18-0x00007FFD0C8F0000-0x00007FFD0D291000-memory.dmpFilesize
9.6MB
-
memory/3368-24-0x0000000013140000-0x00000000131FE000-memory.dmpFilesize
760KB
-
memory/3368-29-0x0000000013140000-0x00000000131FE000-memory.dmpFilesize
760KB
-
memory/3368-26-0x0000000013140000-0x00000000131FE000-memory.dmpFilesize
760KB
-
memory/3368-28-0x0000000013140000-0x00000000131FE000-memory.dmpFilesize
760KB
-
memory/4384-22-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/4384-25-0x0000000013140000-0x00000000131FE000-memory.dmpFilesize
760KB
-
memory/4880-17-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/4944-27-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB