Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 03:34
Static task
static1
Behavioral task
behavioral1
Sample
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
-
Size
948KB
-
MD5
18a2aa0f58307b422e8f9d630c3a8d2e
-
SHA1
9f302922070f05762ce6d9577f54e9430d58c00a
-
SHA256
139072b0c2ff16e30c9cebbe749f6bc195eae012372cc4ce4f85f4ff7281eba4
-
SHA512
7aea4c1e6c07565cfba83453b1da2c521b8ca45bb987d6d5caeb24d48865fd86c5452453d644fe67de2063196bba6131f7505df79e56e3ae5e71020244f44cc4
-
SSDEEP
24576:BdEEsNOHR6uztgWbL/VOt7GW36j0SG4GMeIUM7W3:rEEs8TJgWvVKGW6oSG4y46
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
winupdate.exe18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exewinupdate.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid process 3040 winupdate.exe -
Loads dropped DLL 4 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exewinupdate.exepid process 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe 3040 winupdate.exe 3040 winupdate.exe 3040 winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Drops file in System32 directory 6 IoCs
Processes:
winupdate.exe18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winupdate.exedescription pid process target process PID 3040 set thread context of 3012 3040 winupdate.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exewinupdate.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exewinupdate.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Modifies registry class 6 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exewinupdate.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk\ = 9e380cc3ea991ac4df67b7c947eebe4908bf520788eb026d 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk winupdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk\ = 9e380cc3ea991ac4df67b7c947eebe4908bf520788eb026d winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk\ = 9e380cc3ea991ac4df67b7c947eebe4908bf520788eb026d explorer.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exewinupdate.exeexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeSecurityPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeSystemtimePrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeBackupPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeRestorePrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeShutdownPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeDebugPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeUndockPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeManageVolumePrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeImpersonatePrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: 33 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: 34 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: 35 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3040 winupdate.exe Token: SeSecurityPrivilege 3040 winupdate.exe Token: SeTakeOwnershipPrivilege 3040 winupdate.exe Token: SeLoadDriverPrivilege 3040 winupdate.exe Token: SeSystemProfilePrivilege 3040 winupdate.exe Token: SeSystemtimePrivilege 3040 winupdate.exe Token: SeProfSingleProcessPrivilege 3040 winupdate.exe Token: SeIncBasePriorityPrivilege 3040 winupdate.exe Token: SeCreatePagefilePrivilege 3040 winupdate.exe Token: SeBackupPrivilege 3040 winupdate.exe Token: SeRestorePrivilege 3040 winupdate.exe Token: SeShutdownPrivilege 3040 winupdate.exe Token: SeDebugPrivilege 3040 winupdate.exe Token: SeSystemEnvironmentPrivilege 3040 winupdate.exe Token: SeChangeNotifyPrivilege 3040 winupdate.exe Token: SeRemoteShutdownPrivilege 3040 winupdate.exe Token: SeUndockPrivilege 3040 winupdate.exe Token: SeManageVolumePrivilege 3040 winupdate.exe Token: SeImpersonatePrivilege 3040 winupdate.exe Token: SeCreateGlobalPrivilege 3040 winupdate.exe Token: 33 3040 winupdate.exe Token: 34 3040 winupdate.exe Token: 35 3040 winupdate.exe Token: SeRestorePrivilege 3040 winupdate.exe Token: SeBackupPrivilege 3040 winupdate.exe Token: SeIncreaseQuotaPrivilege 3012 explorer.exe Token: SeSecurityPrivilege 3012 explorer.exe Token: SeTakeOwnershipPrivilege 3012 explorer.exe Token: SeLoadDriverPrivilege 3012 explorer.exe Token: SeSystemProfilePrivilege 3012 explorer.exe Token: SeSystemtimePrivilege 3012 explorer.exe Token: SeProfSingleProcessPrivilege 3012 explorer.exe Token: SeIncBasePriorityPrivilege 3012 explorer.exe Token: SeCreatePagefilePrivilege 3012 explorer.exe Token: SeBackupPrivilege 3012 explorer.exe Token: SeRestorePrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeDebugPrivilege 3012 explorer.exe Token: SeSystemEnvironmentPrivilege 3012 explorer.exe Token: SeChangeNotifyPrivilege 3012 explorer.exe Token: SeRemoteShutdownPrivilege 3012 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 3012 explorer.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exewinupdate.exedescription pid process target process PID 2112 wrote to memory of 2096 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe PID 2112 wrote to memory of 2096 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe PID 2112 wrote to memory of 2096 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe PID 2112 wrote to memory of 2096 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe PID 2112 wrote to memory of 3040 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe winupdate.exe PID 2112 wrote to memory of 3040 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe winupdate.exe PID 2112 wrote to memory of 3040 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe winupdate.exe PID 2112 wrote to memory of 3040 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe winupdate.exe PID 2112 wrote to memory of 3040 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe winupdate.exe PID 2112 wrote to memory of 3040 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe winupdate.exe PID 2112 wrote to memory of 3040 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe winupdate.exe PID 2112 wrote to memory of 1684 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe ping.exe PID 2112 wrote to memory of 1684 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe ping.exe PID 2112 wrote to memory of 1684 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe ping.exe PID 2112 wrote to memory of 1684 2112 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe ping.exe PID 3040 wrote to memory of 3012 3040 winupdate.exe explorer.exe PID 3040 wrote to memory of 3012 3040 winupdate.exe explorer.exe PID 3040 wrote to memory of 3012 3040 winupdate.exe explorer.exe PID 3040 wrote to memory of 3012 3040 winupdate.exe explorer.exe PID 3040 wrote to memory of 3012 3040 winupdate.exe explorer.exe PID 3040 wrote to memory of 3012 3040 winupdate.exe explorer.exe PID 3040 wrote to memory of 3012 3040 winupdate.exe explorer.exe PID 3040 wrote to memory of 3012 3040 winupdate.exe explorer.exe PID 3040 wrote to memory of 3012 3040 winupdate.exe explorer.exe PID 3040 wrote to memory of 2568 3040 winupdate.exe ping.exe PID 3040 wrote to memory of 2568 3040 winupdate.exe ping.exe PID 3040 wrote to memory of 2568 3040 winupdate.exe ping.exe PID 3040 wrote to memory of 2568 3040 winupdate.exe ping.exe PID 3040 wrote to memory of 2568 3040 winupdate.exe ping.exe PID 3040 wrote to memory of 2568 3040 winupdate.exe ping.exe PID 3040 wrote to memory of 2568 3040 winupdate.exe ping.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe"2⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
948KB
MD518a2aa0f58307b422e8f9d630c3a8d2e
SHA19f302922070f05762ce6d9577f54e9430d58c00a
SHA256139072b0c2ff16e30c9cebbe749f6bc195eae012372cc4ce4f85f4ff7281eba4
SHA5127aea4c1e6c07565cfba83453b1da2c521b8ca45bb987d6d5caeb24d48865fd86c5452453d644fe67de2063196bba6131f7505df79e56e3ae5e71020244f44cc4
-
memory/2112-21-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2112-4-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2112-3-0x0000000000401000-0x00000000004C6000-memory.dmpFilesize
788KB
-
memory/2112-0-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2112-22-0x0000000000401000-0x00000000004C6000-memory.dmpFilesize
788KB
-
memory/3012-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3012-31-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-41-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-28-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-40-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-29-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-42-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-33-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-32-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-39-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-30-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-37-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3012-38-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3040-20-0x0000000000CF0000-0x0000000000E9F000-memory.dmpFilesize
1.7MB
-
memory/3040-34-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/3040-23-0x0000000000CF0000-0x0000000000E9F000-memory.dmpFilesize
1.7MB
-
memory/3040-19-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB