Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 14:17
Behavioral task
behavioral1
Sample
1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe
-
Size
95KB
-
MD5
1a70e1e36e6afa454f6457140ac3d2ec
-
SHA1
853c94da9a70900281a4345dab7c43812a467609
-
SHA256
4d3a0ba910024c6ca1ca9e915eb43fff7f9610406105750383f716069e7dfb91
-
SHA512
7ed173915292f8986cedfc4111ae644be0b497ba2d9e57a31d90699c5d8843b09646a94788f9644ddb732dc5ec6d6ee747e2de1fc4b0e852a64428d4398f1413
-
SSDEEP
1536:yL6aduLanddV3DKTNKmeQAaswB18GF7ECWYevGwyvHYBAwnW4i9:yLFdPyjAaswzjVFOBA3
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" reg.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 2604 svchost.exe -
Drops file in System32 directory 9 IoCs
Processes:
svchost.exe1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\svchost.log svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 svchost.exe File created C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll 1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exedescription ioc process File created C:\Windows\system\config_t.dat 1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe File opened for modification C:\Windows\system\config_t.dat 1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-d2-72-ed-09-0a\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{053C49D3-23F6-4CAB-B6B7-FE548C5A85A9}\86-d2-72-ed-09-0a svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{053C49D3-23F6-4CAB-B6B7-FE548C5A85A9}\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{053C49D3-23F6-4CAB-B6B7-FE548C5A85A9}\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{053C49D3-23F6-4CAB-B6B7-FE548C5A85A9}\WpadDecisionTime = 90c58de365c9da01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-d2-72-ed-09-0a\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{053C49D3-23F6-4CAB-B6B7-FE548C5A85A9} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{053C49D3-23F6-4CAB-B6B7-FE548C5A85A9}\WpadNetworkName = "Network 3" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-d2-72-ed-09-0a\WpadDecisionTime = 90c58de365c9da01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchost.exepid process 2604 svchost.exe 2604 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.execmd.exedescription pid process target process PID 2208 wrote to memory of 2788 2208 1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2788 2208 1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2788 2208 1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2788 2208 1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe cmd.exe PID 2788 wrote to memory of 2112 2788 cmd.exe reg.exe PID 2788 wrote to memory of 2112 2788 cmd.exe reg.exe PID 2788 wrote to memory of 2112 2788 cmd.exe reg.exe PID 2788 wrote to memory of 2112 2788 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c temp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll3⤵
- Server Software Component: Terminal Services DLL
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\temp.batFilesize
211B
MD5dde99ab936da8cbda74ea779ef0b2e67
SHA11e27e432e0b7c81b990b92595daebdf0539efea4
SHA256ab6da77270cb63c49d1d12e854850e882d03f41ce48782e98c81bcede0c9ad80
SHA51262a124172d34dc56d00328b45ac13a029c847c2b7e2843ec38270a7c4d813b68b7d66b9a8ef80b8adfa7b1a894f36b5f8c6365fa5551c35939c0b76cd4439437
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD570cf4b2d24efb18155567ceef9a5c62a
SHA15605714555b2a767044477576900e7317a63a70e
SHA256a0642c0ca17f57b77b3075cde28c0b71bf0bc3acf579f1e7a78c04e63d91b255
SHA51295c643774136101863ea5e2ee3adc0bf7f63894e0d6ccdc7544e6fd36b925eb4bbcca62de5fcc6bf671f6ce37ece9731fb3ba59a85c40b532864dd174fea1818
-
C:\Windows\SysWOW64\svchost.logFilesize
993B
MD55cda55d0e518c590ee3f58e3f554cddb
SHA14585739cfdd9f118ef4a46b549cfebedadd4d258
SHA256663cd00bb681c9613724eb8438d6d3b258870ac724bcd5cbe561dd35b56f8452
SHA5122eacb2f0900bdee707235a71e49d4d536515c9bde07754e0fb554e26f7eba96c867e78eb1bc0e2a51e5cfbcac2677d0d581bed4502f13910d83a3f694363b2b0
-
C:\Windows\SysWOW64\svchost.logFilesize
782B
MD57047003338531d4a8ab9fd14ec2b6eaf
SHA1a5f73a3b02ec48c5c5327de2636f0fc52dc1027d
SHA256eee1429b6f5c99474c2a570ae992cce39364f93eac67eb40ad6c1c66d9a6629a
SHA5124d040b291f5bde09d45a1f60782af0d36b72adb2a5575cf6a6fa195623039a92e327f43b16bede24a8b100448ed49e201473236745f3e78d7866ff085446a587
-
C:\Windows\SysWOW64\svchost.logFilesize
1KB
MD5da51be846c0f901ae0b40d1668eba86d
SHA1873b01535d9d34fb4411859eabe712ef15bb35b5
SHA2563408d12aaadc7d6e536e84d3b256d784fffea0c595816762d9a367d50570871b
SHA5121d6056d2ee15602817d729fa9db1989ac3395fe28b994a2ad51531d989d8f8fa03f114f81d9ba66b09f3592909259b0793a0ec07c5c48da435809f2acec572b3
-
C:\Windows\Temp\Tar83A6.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Windows\system\config_t.datFilesize
138B
MD5ada008f2bbc8bf17b0a0287a289c688a
SHA161b609261c81c511aff48b9cd24ee1307c225a56
SHA25697a7d664f16b924996af78d2ea84f336d8395c8db5829761ad02bf223e88f689
SHA51208bf0e452c3182a18f427ba861a641922a17a7f7ac2b21b2d04af2e496ab5afacd5c6f44c685b0cf3ca9ed471434af2536a3ce1d13c48eed427368b0de388ffb
-
C:\Windows\system\config_t.datFilesize
182B
MD5ea72bea48bcb1dcad5a66609b5a1e81e
SHA1f14a1bfe3d208c3d9d617484b122c779d50a10a6
SHA256ec3eba5f4e5d72cf0bb6697a6eacc9f73a0eb0e89f0d9e498f48007689c46fb6
SHA512255e0dae11114231a78773354fe9edbe2fa357fb47d2a5e11d1eec96655ee124356841929d3a27faf9f53bcd140bc855ebe88d8b53289c7cafe7dcc77a49c033
-
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dllFilesize
45KB
MD5452660884ebe3e88ddabe2b340113c8a
SHA1b80d436afcf2f0493f2317ff1a38c9ba329f24b1
SHA256ed6ad64dad85fe11f3cc786c8de1f5b239115b94e30420860f02e820ffc53924
SHA51211c0bc211da6e083015d98cde3c34ce7f36fb492a9859936b1294e730f420f6ac8a68ceacb4367977d930b26ee8f99a0fd08eba59b895de23ac3b4d32ddfaa1c