Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 06:18
Static task
static1
Behavioral task
behavioral1
Sample
14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe
-
Size
781KB
-
MD5
14f75b2eb7c9e8e722489b60d1aac52a
-
SHA1
a7babe3d0d25689bd4899a95f7d9ac746df7f61d
-
SHA256
ba26910aee89ac869e6f56bcfba36c31c811d7fd5892ec34831873dac1eb3bdf
-
SHA512
7010fd8a3f6e24328ba2672b813102f6097505d90f8dab85bae818edc8277e75284003d263c999f22834eb13c70e8282df66585e489468b828028f4c63e6fb83
-
SSDEEP
12288:L5////cHfaAwe3erIn9Zo/a46rOpqFmORcibq3Uips8Zn4IH:L5////c/aAwbr2oJ6rELOyB3Ui3ZB
Malware Config
Extracted
latentbot
willsminecraftsvr.zapto.org
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Cry.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cry.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 2 IoCs
Processes:
ABrRL.exesvchost.exepid process 2584 ABrRL.exe 2524 svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exepid process 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ABrRL.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javaw.exe" ABrRL.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exedescription pid process target process PID 2292 set thread context of 2524 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 2864 reg.exe 2112 reg.exe 1372 reg.exe 1584 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exesvchost.exedescription pid process Token: SeDebugPrivilege 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe Token: 1 2524 svchost.exe Token: SeCreateTokenPrivilege 2524 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2524 svchost.exe Token: SeLockMemoryPrivilege 2524 svchost.exe Token: SeIncreaseQuotaPrivilege 2524 svchost.exe Token: SeMachineAccountPrivilege 2524 svchost.exe Token: SeTcbPrivilege 2524 svchost.exe Token: SeSecurityPrivilege 2524 svchost.exe Token: SeTakeOwnershipPrivilege 2524 svchost.exe Token: SeLoadDriverPrivilege 2524 svchost.exe Token: SeSystemProfilePrivilege 2524 svchost.exe Token: SeSystemtimePrivilege 2524 svchost.exe Token: SeProfSingleProcessPrivilege 2524 svchost.exe Token: SeIncBasePriorityPrivilege 2524 svchost.exe Token: SeCreatePagefilePrivilege 2524 svchost.exe Token: SeCreatePermanentPrivilege 2524 svchost.exe Token: SeBackupPrivilege 2524 svchost.exe Token: SeRestorePrivilege 2524 svchost.exe Token: SeShutdownPrivilege 2524 svchost.exe Token: SeDebugPrivilege 2524 svchost.exe Token: SeAuditPrivilege 2524 svchost.exe Token: SeSystemEnvironmentPrivilege 2524 svchost.exe Token: SeChangeNotifyPrivilege 2524 svchost.exe Token: SeRemoteShutdownPrivilege 2524 svchost.exe Token: SeUndockPrivilege 2524 svchost.exe Token: SeSyncAgentPrivilege 2524 svchost.exe Token: SeEnableDelegationPrivilege 2524 svchost.exe Token: SeManageVolumePrivilege 2524 svchost.exe Token: SeImpersonatePrivilege 2524 svchost.exe Token: SeCreateGlobalPrivilege 2524 svchost.exe Token: 31 2524 svchost.exe Token: 32 2524 svchost.exe Token: 33 2524 svchost.exe Token: 34 2524 svchost.exe Token: 35 2524 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
svchost.exepid process 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.execsc.exesvchost.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2292 wrote to memory of 2928 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe csc.exe PID 2292 wrote to memory of 2928 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe csc.exe PID 2292 wrote to memory of 2928 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe csc.exe PID 2292 wrote to memory of 2928 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe csc.exe PID 2928 wrote to memory of 2532 2928 csc.exe cvtres.exe PID 2928 wrote to memory of 2532 2928 csc.exe cvtres.exe PID 2928 wrote to memory of 2532 2928 csc.exe cvtres.exe PID 2928 wrote to memory of 2532 2928 csc.exe cvtres.exe PID 2292 wrote to memory of 2584 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe ABrRL.exe PID 2292 wrote to memory of 2584 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe ABrRL.exe PID 2292 wrote to memory of 2584 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe ABrRL.exe PID 2292 wrote to memory of 2584 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe ABrRL.exe PID 2292 wrote to memory of 2524 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe svchost.exe PID 2292 wrote to memory of 2524 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe svchost.exe PID 2292 wrote to memory of 2524 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe svchost.exe PID 2292 wrote to memory of 2524 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe svchost.exe PID 2292 wrote to memory of 2524 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe svchost.exe PID 2292 wrote to memory of 2524 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe svchost.exe PID 2292 wrote to memory of 2524 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe svchost.exe PID 2292 wrote to memory of 2524 2292 14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe svchost.exe PID 2524 wrote to memory of 2172 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2172 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2172 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2172 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2564 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2564 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2564 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2564 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2556 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2556 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2556 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2556 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2456 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2456 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2456 2524 svchost.exe cmd.exe PID 2524 wrote to memory of 2456 2524 svchost.exe cmd.exe PID 2172 wrote to memory of 2864 2172 cmd.exe reg.exe PID 2172 wrote to memory of 2864 2172 cmd.exe reg.exe PID 2172 wrote to memory of 2864 2172 cmd.exe reg.exe PID 2172 wrote to memory of 2864 2172 cmd.exe reg.exe PID 2564 wrote to memory of 2112 2564 cmd.exe reg.exe PID 2564 wrote to memory of 2112 2564 cmd.exe reg.exe PID 2564 wrote to memory of 2112 2564 cmd.exe reg.exe PID 2564 wrote to memory of 2112 2564 cmd.exe reg.exe PID 2456 wrote to memory of 1372 2456 cmd.exe reg.exe PID 2456 wrote to memory of 1372 2456 cmd.exe reg.exe PID 2456 wrote to memory of 1372 2456 cmd.exe reg.exe PID 2456 wrote to memory of 1372 2456 cmd.exe reg.exe PID 2556 wrote to memory of 1584 2556 cmd.exe reg.exe PID 2556 wrote to memory of 1584 2556 cmd.exe reg.exe PID 2556 wrote to memory of 1584 2556 cmd.exe reg.exe PID 2556 wrote to memory of 1584 2556 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14f75b2eb7c9e8e722489b60d1aac52a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uet5bcpu.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES197B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC197A.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ABrRL.exe"C:\Users\Admin\AppData\Local\Temp\ABrRL.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Cry.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Cry.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Cry.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Cry.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ABrRL.exeFilesize
4KB
MD50f6a88847d1662b127aecbc3339b5dfd
SHA17287007f9f1a2e0692a9110f15cfd33b360714b3
SHA2565988d089da8f75fdb27b3ac5d625f09edbd2028cd625482ec29273c084b9e995
SHA5127bb795f72f97eaecbbb089517973d00727b8d28eb256e3ba639aaacef3ffb5647b4a32e722e54aaa84893767bc0404ed0b349f1f7f73029cf086b0367a741f6f
-
C:\Users\Admin\AppData\Local\Temp\RES197B.tmpFilesize
1KB
MD5dd24c16f0d45fa352e475874299e946a
SHA14608ec6e25538b269bed5b0a87fb91bd378271f7
SHA256a8d6b2039302bea67e9ff0fb810b0da7a46bdac947519b3927c9216838ed1fd0
SHA512afd52abfad23a6a16bda7dfbe05dddfa611b4d37decb807a375583537d67cce3a324f8bc08e03d7e0c92b445fb4afed223ee07fe7128ad24819f3acdbe27872f
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC197A.tmpFilesize
636B
MD5cbdc36004d717169d25c6fffa894d71f
SHA11cfb7d7a9054412b42ba09ce95213192b4822aab
SHA256e85d9aab041cd458db282eed73f554e0365966998cc83ed24761fc7dea161a63
SHA512676a84925c9f974e55ad5148f8ad2bfebc375c8e59db033cde0200426de5f0304d71dc2947d31d7488ec9b53f65e414cb87f73be8fd2b347e4b515723b29094d
-
\??\c:\Users\Admin\AppData\Local\Temp\uet5bcpu.0.csFilesize
1KB
MD555c169ce9f7d94677c877d34a33e11b0
SHA1aa882688c1114ddb39a5d24c3dec9bfd8adfa559
SHA2561f59c8448f3dd92a57974773c9694a320e1a2886433007ec4fd661190d41ac79
SHA5129be8a9eaf9c4bee309243cfc48d1d51e4915a17aaa22a27bc5b3731a8a45d862226ccdb0a4b926ad4a73637120877487844d78355b4c2d3afb958462edbba7d2
-
\??\c:\Users\Admin\AppData\Local\Temp\uet5bcpu.cmdlineFilesize
258B
MD5b8474a2f70ee916a3ffe79d1c936a58e
SHA1d4161cce5ed4e8b7c631dd202076dcf1c0c5f21a
SHA2568b8a4db544ac59bda91a3b023941edefbf8f76729159dd6d034817b8e61a85a2
SHA5129891bd76be714b97aa7e60ef110bc3c8ab93e223d22fb62c4b0c468903289d4e19757c9fd1c1c42c587a4bbd2f4cdab2de3612d8930de5678a5ddcd41466046d
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
memory/2292-1-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2292-2-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2292-43-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2292-0-0x0000000074571000-0x0000000074572000-memory.dmpFilesize
4KB
-
memory/2524-33-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-47-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-60-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2524-30-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-28-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-59-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-44-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-45-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-26-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-49-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-51-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-52-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-53-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2524-56-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2928-10-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/2928-15-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB