Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 11:53
Behavioral task
behavioral1
Sample
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe
-
Size
260KB
-
MD5
15e8a1c4d5021e76f933cb1bc895b9c2
-
SHA1
8c99da193987bdc6791844a050f9dd7af4dc1b6b
-
SHA256
666de371c4fa9b36781cc0cfb0964e7fc8cf7a0223e08aa07ecf7e06befc7397
-
SHA512
dacfa9e9ac314f58421d96dc0e2bcb2a85b0f3949d2e1f6f3781a5c96da82846ff28f60bb21f5c157f932ca06e3dcf134e1b80bc2956fa49e5a880c7608d3615
-
SSDEEP
3072:Fu+i+nbUpVIiCm6qrBbGBPQOfQQ6FpuB3zOa9vMpuk/Xey:4+iuqVtCm6qryIOf7Yp4jOa9Up9
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" reg.exe -
Executes dropped EXE 2 IoCs
Processes:
temp.exenet.exepid process 2180 temp.exe 2896 net.exe -
Loads dropped DLL 2 IoCs
Processes:
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exesvchost.exepid process 1672 15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe 3032 svchost.exe -
Drops file in System32 directory 11 IoCs
Processes:
sysprep.exenet.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\sysprep\Panther\setuperr.log sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\diagwrn.xml sysprep.exe File created C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll net.exe File created C:\Windows\SysWOW64\system_t.dll svchost.exe File created C:\Windows\SysWOW64\enumfs.ini svchost.exe File opened for modification C:\Windows\system32\sysprep\Panther\diagerr.xml sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\setupact.log sysprep.exe File created C:\Windows\SysWOW64\net.bat net.exe File opened for modification C:\Windows\SysWOW64\system_t.dll svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dnlist.ini svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
net.exesvchost.exedescription ioc process File created C:\Windows\system\config_t.dat net.exe File opened for modification C:\Windows\system\config_t.dat net.exe File opened for modification C:\Windows\system\config_t.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 844 ipconfig.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00be000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35C3A577-F0CC-4CFC-AFB2-73DBBE00DD88}\WpadDecisionTime = 90481ada88c8da01 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35C3A577-F0CC-4CFC-AFB2-73DBBE00DD88}\WpadNetworkName = "Network 3" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-c7-e5-d8-2a-4a\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35C3A577-F0CC-4CFC-AFB2-73DBBE00DD88}\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35C3A577-F0CC-4CFC-AFB2-73DBBE00DD88}\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35C3A577-F0CC-4CFC-AFB2-73DBBE00DD88} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-c7-e5-d8-2a-4a svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{35C3A577-F0CC-4CFC-AFB2-73DBBE00DD88}\b2-c7-e5-d8-2a-4a svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-c7-e5-d8-2a-4a\WpadDecisionReason = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-c7-e5-d8-2a-4a\WpadDecisionTime = 90481ada88c8da01 svchost.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
temp.exesvchost.exepid process 2180 temp.exe 3032 svchost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exetemp.exeExplorer.EXEsysprep.exenet.execmd.exesvchost.exedescription pid process target process PID 1672 wrote to memory of 2180 1672 15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe temp.exe PID 1672 wrote to memory of 2180 1672 15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe temp.exe PID 1672 wrote to memory of 2180 1672 15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe temp.exe PID 1672 wrote to memory of 2180 1672 15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe temp.exe PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 2180 wrote to memory of 1356 2180 temp.exe Explorer.EXE PID 1356 wrote to memory of 2892 1356 Explorer.EXE sysprep.exe PID 1356 wrote to memory of 2892 1356 Explorer.EXE sysprep.exe PID 1356 wrote to memory of 2892 1356 Explorer.EXE sysprep.exe PID 2892 wrote to memory of 2896 2892 sysprep.exe net.exe PID 2892 wrote to memory of 2896 2892 sysprep.exe net.exe PID 2892 wrote to memory of 2896 2892 sysprep.exe net.exe PID 2892 wrote to memory of 2896 2892 sysprep.exe net.exe PID 2896 wrote to memory of 2508 2896 net.exe cmd.exe PID 2896 wrote to memory of 2508 2896 net.exe cmd.exe PID 2896 wrote to memory of 2508 2896 net.exe cmd.exe PID 2896 wrote to memory of 2508 2896 net.exe cmd.exe PID 2508 wrote to memory of 3000 2508 cmd.exe reg.exe PID 2508 wrote to memory of 3000 2508 cmd.exe reg.exe PID 2508 wrote to memory of 3000 2508 cmd.exe reg.exe PID 2508 wrote to memory of 3000 2508 cmd.exe reg.exe PID 3032 wrote to memory of 844 3032 svchost.exe ipconfig.exe PID 3032 wrote to memory of 844 3032 svchost.exe ipconfig.exe PID 3032 wrote to memory of 844 3032 svchost.exe ipconfig.exe PID 3032 wrote to memory of 844 3032 svchost.exe ipconfig.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15e8a1c4d5021e76f933cb1bc895b9c2_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp.exe"C:\Users\Admin\AppData\Local\Temp\temp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sysprep\sysprep.exe"C:\Windows\system32\sysprep\sysprep.exe" "C:\Users\Admin\AppData\Local\Temp\net.exe" "C:\Windows\system32" ""2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\net.exe"C:\Users\Admin\AppData\Local\Temp\net.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll5⤵
- Server Software Component: Terminal Services DLL
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all2⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\net.exeFilesize
54KB
MD55d96c2a74f5b0a5abccb1a0a4cc9fc19
SHA1b522dec78745c255678f2df56082aa3f9be51e69
SHA2562b9dcd3f802b0e0bb349cf22a1dcbad10832432913d1806e49a47c22aa8bd2e5
SHA512476bfc90c465fc502841b36019800b53481e381530a7031913623dc29097c2613c91d87d0dc3a8801ee64d70c0e4b1b48a94cc68882bc732f8d590469316d183
-
C:\Windows\SysWOW64\dnlist.iniFilesize
60B
MD5a96254101879bb540a31eaeb5009b333
SHA1aa48e5f6ea0787c5e84c014ff8f20eb08d2ef847
SHA25650951fc4a2157da2ca4062c44ef693a2e5d2e3d24be0c84c9ec687acc4ebff01
SHA5123a6752539b4c5a88e4928a3aef0a86c0ad21c490914672c1dccc290b9df7ca9fef9f6ce3953de265eb4e3b330b2a4958ab634cd127e273c22b72d02d63a92d72
-
C:\Windows\SysWOW64\net.batFilesize
214B
MD5f5c6f0e2084903954ba02fa0517310ef
SHA14d7162f02e00ec065bdcff2909a13c16c1db798f
SHA256dfbf2ad5f2cd6ba56d09dd4b6e0e7235ff1723cc8f1c42ad138c44a23c9c6a9b
SHA5127ff0ce4b6514136c5614d1c2812fb400bd1f59dc71faa79fe92c282c7d49d2739d8258da932874c6630ae642d45f4e29667c238be4987f0171ca6a472158422e
-
C:\Windows\SysWOW64\system_t.dllFilesize
820B
MD561b1134a77a2327650fdbe971bc0b4ca
SHA11cf350a0f5391424c9075ee0aa9c8189cdb93635
SHA25673116b4c472a9232d15cb8199a04d852a09ce52e0c8ff6e362337eb8ebfb5ab5
SHA512f58e6f07b583fb681711f60a400fbceb14b0fd2764a16b151dc1c082b19c6adb3efcae8723d3b12a97bffabdc66a084957b2fccc077fd633346ebf02d11f4d6e
-
C:\Windows\system\config_t.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dllFilesize
200KB
MD5bc13bce84a800f247040a2adbb5eabc3
SHA10760a88724424d5073824bf4726d422d55f11dcb
SHA2568f26cb536687d251413637641abed1a4a117c0fc8c59b94b3c9fbac236af7342
SHA512a70ebeabbddccb4f3ebd981816bf4e86b3c1dd062adc02291a399fc108d3b954ea7a79ce7669bc680b5a4d6f0c4d88ae41f3b4fe5044688247d383aa70ee1268
-
\Users\Admin\AppData\Local\Temp\temp.exeFilesize
86KB
MD5425609a2c35081730982a01d72a76cbe
SHA164f95fe985a7ef7ee4f396e36279aa31498ac3cc
SHA256e03145fefe7fef82c2a476d7dec03305d7da79cd3c8fe1578177580175febbd3
SHA5126ede1415ac51d588a71bfb5697a599eb777e9530240b7a3524626d2a230bb51017c9b3d05923c5cb41800cca9818f2d99484310390a0425ef8e48984c4c9cfd4
-
memory/1356-28-0x0000000003C90000-0x0000000003C91000-memory.dmpFilesize
4KB
-
memory/1356-13-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/1356-7-0x00000000025B0000-0x00000000025B1000-memory.dmpFilesize
4KB