Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 11:52
Static task
static1
Behavioral task
behavioral1
Sample
15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
15e79e75f052a82d3e1a2cd88028596f
-
SHA1
ec3f2e8e2fe31d232bd45d7d54c79dbe81c47994
-
SHA256
938bfda0209c6bb2e28e0094245a0ce708c75f19b42a557054d9a1efde1b1335
-
SHA512
8b425d73fb21de18b8fa549a2719cc22da45e0eccd45c1168ee2ffdfd26dd1db3090a0ebd1eb28608e7dad6d1f60de54246f232579c134e779d4a9114ff16ab3
-
SSDEEP
24576:1BjwYUcORkNuE9agxxs3HAfpnJ+xxxgQUSFKJnNiu/J5tL:qcuE9xxs3HAB8xTflFKJNx/VL
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ephir.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" ephir.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winlogon.exeephir.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation ephir.exe -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exeephir.exewinupdate.exepid process 4868 winlogon.exe 608 ephir.exe 4116 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ephir.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" ephir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exedescription pid process target process PID 4672 set thread context of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
ephir.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ephir.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exepid process 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winupdate.exepid process 4116 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exeephir.exewinupdate.exedescription pid process Token: SeDebugPrivilege 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 608 ephir.exe Token: SeSecurityPrivilege 608 ephir.exe Token: SeTakeOwnershipPrivilege 608 ephir.exe Token: SeLoadDriverPrivilege 608 ephir.exe Token: SeSystemProfilePrivilege 608 ephir.exe Token: SeSystemtimePrivilege 608 ephir.exe Token: SeProfSingleProcessPrivilege 608 ephir.exe Token: SeIncBasePriorityPrivilege 608 ephir.exe Token: SeCreatePagefilePrivilege 608 ephir.exe Token: SeBackupPrivilege 608 ephir.exe Token: SeRestorePrivilege 608 ephir.exe Token: SeShutdownPrivilege 608 ephir.exe Token: SeDebugPrivilege 608 ephir.exe Token: SeSystemEnvironmentPrivilege 608 ephir.exe Token: SeChangeNotifyPrivilege 608 ephir.exe Token: SeRemoteShutdownPrivilege 608 ephir.exe Token: SeUndockPrivilege 608 ephir.exe Token: SeManageVolumePrivilege 608 ephir.exe Token: SeImpersonatePrivilege 608 ephir.exe Token: SeCreateGlobalPrivilege 608 ephir.exe Token: 33 608 ephir.exe Token: 34 608 ephir.exe Token: 35 608 ephir.exe Token: 36 608 ephir.exe Token: SeIncreaseQuotaPrivilege 4116 winupdate.exe Token: SeSecurityPrivilege 4116 winupdate.exe Token: SeTakeOwnershipPrivilege 4116 winupdate.exe Token: SeLoadDriverPrivilege 4116 winupdate.exe Token: SeSystemProfilePrivilege 4116 winupdate.exe Token: SeSystemtimePrivilege 4116 winupdate.exe Token: SeProfSingleProcessPrivilege 4116 winupdate.exe Token: SeIncBasePriorityPrivilege 4116 winupdate.exe Token: SeCreatePagefilePrivilege 4116 winupdate.exe Token: SeBackupPrivilege 4116 winupdate.exe Token: SeRestorePrivilege 4116 winupdate.exe Token: SeShutdownPrivilege 4116 winupdate.exe Token: SeDebugPrivilege 4116 winupdate.exe Token: SeSystemEnvironmentPrivilege 4116 winupdate.exe Token: SeChangeNotifyPrivilege 4116 winupdate.exe Token: SeRemoteShutdownPrivilege 4116 winupdate.exe Token: SeUndockPrivilege 4116 winupdate.exe Token: SeManageVolumePrivilege 4116 winupdate.exe Token: SeImpersonatePrivilege 4116 winupdate.exe Token: SeCreateGlobalPrivilege 4116 winupdate.exe Token: 33 4116 winupdate.exe Token: 34 4116 winupdate.exe Token: 35 4116 winupdate.exe Token: 36 4116 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winupdate.exepid process 4116 winupdate.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exewinlogon.exeephir.execmd.execmd.exedescription pid process target process PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4672 wrote to memory of 4868 4672 15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe winlogon.exe PID 4868 wrote to memory of 608 4868 winlogon.exe ephir.exe PID 4868 wrote to memory of 608 4868 winlogon.exe ephir.exe PID 4868 wrote to memory of 608 4868 winlogon.exe ephir.exe PID 608 wrote to memory of 3632 608 ephir.exe cmd.exe PID 608 wrote to memory of 3632 608 ephir.exe cmd.exe PID 608 wrote to memory of 3632 608 ephir.exe cmd.exe PID 3632 wrote to memory of 2880 3632 cmd.exe attrib.exe PID 3632 wrote to memory of 2880 3632 cmd.exe attrib.exe PID 3632 wrote to memory of 2880 3632 cmd.exe attrib.exe PID 608 wrote to memory of 4116 608 ephir.exe winupdate.exe PID 608 wrote to memory of 4116 608 ephir.exe winupdate.exe PID 608 wrote to memory of 4116 608 ephir.exe winupdate.exe PID 608 wrote to memory of 4676 608 ephir.exe cmd.exe PID 608 wrote to memory of 4676 608 ephir.exe cmd.exe PID 608 wrote to memory of 4676 608 ephir.exe cmd.exe PID 4676 wrote to memory of 4768 4676 cmd.exe PING.EXE PID 4676 wrote to memory of 4768 4676 cmd.exe PING.EXE PID 4676 wrote to memory of 4768 4676 cmd.exe PING.EXE -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15e79e75f052a82d3e1a2cd88028596f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ephir.exe"C:\Users\Admin\AppData\Local\Temp\ephir.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ephir.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\ephir.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\ephir.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\winlogon.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\AppData\Local\Temp\ephir.exeFilesize
648KB
MD533c3c97354fadb72aeb3af19215a9c0b
SHA1e0e388a7b42facdfd4bb5c6e7466f553575f3d43
SHA25692d939bdbf1517dba637996aa25ab692f1c00b9465f19bb85ceaa09f5545352e
SHA51233d4d18b1b206458f8acf09441ad263a2019639a2fac13acf4725a766335be2aa44c059abfcd10a8dd04f23a947f413f514920e8134d0087275a1779f06dca7e
-
memory/608-60-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/608-25-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/4116-67-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-69-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-74-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-73-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-72-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-71-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-70-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-68-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-61-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-62-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-63-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-64-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-65-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4116-66-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4672-0-0x0000000074922000-0x0000000074923000-memory.dmpFilesize
4KB
-
memory/4672-1-0x0000000074920000-0x0000000074ED1000-memory.dmpFilesize
5.7MB
-
memory/4672-2-0x0000000074920000-0x0000000074ED1000-memory.dmpFilesize
5.7MB
-
memory/4672-10-0x0000000074920000-0x0000000074ED1000-memory.dmpFilesize
5.7MB
-
memory/4868-8-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/4868-23-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/4868-6-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/4868-11-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB