Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 03:34
Static task
static1
Behavioral task
behavioral1
Sample
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe
-
Size
948KB
-
MD5
18a2aa0f58307b422e8f9d630c3a8d2e
-
SHA1
9f302922070f05762ce6d9577f54e9430d58c00a
-
SHA256
139072b0c2ff16e30c9cebbe749f6bc195eae012372cc4ce4f85f4ff7281eba4
-
SHA512
7aea4c1e6c07565cfba83453b1da2c521b8ca45bb987d6d5caeb24d48865fd86c5452453d644fe67de2063196bba6131f7505df79e56e3ae5e71020244f44cc4
-
SSDEEP
24576:BdEEsNOHR6uztgWbL/VOt7GW36j0SG4GMeIUM7W3:rEEs8TJgWvVKGW6oSG4y46
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\Windupdt\winupdate.exe 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exedescription pid process target process PID 4160 set thread context of 2432 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exe18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe -
Modifies registry class 4 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk\ = 9e380cc3ea991ac4df67b7c947eebe49c975080488eb026d 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\jl1696517142v.tjk\ = 9e380cc3ea991ac4df67b7c947eebe49c975080488eb026d explorer.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exeexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeSecurityPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeSystemtimePrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeBackupPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeRestorePrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeShutdownPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeDebugPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeUndockPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeManageVolumePrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeImpersonatePrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: 33 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: 34 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: 35 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: 36 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2432 explorer.exe Token: SeSecurityPrivilege 2432 explorer.exe Token: SeTakeOwnershipPrivilege 2432 explorer.exe Token: SeLoadDriverPrivilege 2432 explorer.exe Token: SeSystemProfilePrivilege 2432 explorer.exe Token: SeSystemtimePrivilege 2432 explorer.exe Token: SeProfSingleProcessPrivilege 2432 explorer.exe Token: SeIncBasePriorityPrivilege 2432 explorer.exe Token: SeCreatePagefilePrivilege 2432 explorer.exe Token: SeBackupPrivilege 2432 explorer.exe Token: SeRestorePrivilege 2432 explorer.exe Token: SeShutdownPrivilege 2432 explorer.exe Token: SeDebugPrivilege 2432 explorer.exe Token: SeSystemEnvironmentPrivilege 2432 explorer.exe Token: SeChangeNotifyPrivilege 2432 explorer.exe Token: SeRemoteShutdownPrivilege 2432 explorer.exe Token: SeUndockPrivilege 2432 explorer.exe Token: SeManageVolumePrivilege 2432 explorer.exe Token: SeImpersonatePrivilege 2432 explorer.exe Token: SeCreateGlobalPrivilege 2432 explorer.exe Token: 33 2432 explorer.exe Token: 34 2432 explorer.exe Token: 35 2432 explorer.exe Token: 36 2432 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 2432 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exedescription pid process target process PID 4160 wrote to memory of 2432 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe PID 4160 wrote to memory of 2432 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe PID 4160 wrote to memory of 2432 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe PID 4160 wrote to memory of 2432 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe PID 4160 wrote to memory of 2432 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe explorer.exe PID 4160 wrote to memory of 3800 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe ping.exe PID 4160 wrote to memory of 3800 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe ping.exe PID 4160 wrote to memory of 3800 4160 18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe ping.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\18a2aa0f58307b422e8f9d630c3a8d2e_JaffaCakes118.exe"2⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2432-17-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2432-12-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2432-25-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2432-10-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2432-19-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/2432-14-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2432-24-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2432-22-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2432-23-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2432-21-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2432-18-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/2432-20-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/4160-16-0x0000000000401000-0x00000000004C6000-memory.dmpFilesize
788KB
-
memory/4160-3-0x0000000000401000-0x00000000004C6000-memory.dmpFilesize
788KB
-
memory/4160-4-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/4160-15-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/4160-0-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB