Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 00:11
Static task
static1
Behavioral task
behavioral1
Sample
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
-
Size
380KB
-
MD5
23f5da47d1e3320198797ec21026ff20
-
SHA1
4d0c77335a3f00cdd266d384913072701795ce42
-
SHA256
c27d63aaaab8a73807dcc5cfc8d4ea41759da0a2a5aae290a1acf0fd00481c24
-
SHA512
f4f35e2f89840cf4a09570d4ff6ea916eb2339bc6ece8156544c112777efeeb25fc9017fc03ab9b2178f90dbc000bfe7bfa280878056d0ca1ce2371c830e49fa
-
SSDEEP
6144:8JicfqjN1+ZkfWH3eKR/VErZFIDSavR5XaqhuHA48hN+q/kaQU7NLT2TtsbRmkuu:ZDNUZwjKdyPa0qhu8Aqx7NH2Tt+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\winlogon.exe" 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2984 attrib.exe 5068 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/2108-3-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/2108-2-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/2108-4-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/2108-5-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/2108-6-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/2108-7-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral2/memory/2108-67-0x0000000000400000-0x00000000004EB000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\winlogon.exe" 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
Processes:
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\winlogon.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe File created C:\Windows\SysWOW64\winlogon.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exedescription pid process target process PID 4460 set thread context of 2108 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exedescription pid process Token: SeIncreaseQuotaPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeSecurityPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeSystemtimePrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeBackupPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeRestorePrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeShutdownPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeDebugPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeUndockPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeManageVolumePrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeImpersonatePrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: 33 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: 34 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: 35 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe Token: 36 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exepid process 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe23f5da47d1e3320198797ec21026ff20_JaffaCakes118.execmd.execmd.execmd.exedescription pid process target process PID 4460 wrote to memory of 2108 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe PID 4460 wrote to memory of 2108 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe PID 4460 wrote to memory of 2108 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe PID 4460 wrote to memory of 2108 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe PID 4460 wrote to memory of 2108 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe PID 4460 wrote to memory of 2108 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe PID 4460 wrote to memory of 2108 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe PID 4460 wrote to memory of 2108 4460 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe PID 2108 wrote to memory of 3576 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe cmd.exe PID 2108 wrote to memory of 3576 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe cmd.exe PID 2108 wrote to memory of 3576 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe cmd.exe PID 2108 wrote to memory of 3144 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe cmd.exe PID 2108 wrote to memory of 3144 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe cmd.exe PID 2108 wrote to memory of 3144 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe cmd.exe PID 2108 wrote to memory of 1560 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe cmd.exe PID 2108 wrote to memory of 1560 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe cmd.exe PID 2108 wrote to memory of 1560 2108 23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe cmd.exe PID 3576 wrote to memory of 2984 3576 cmd.exe attrib.exe PID 3576 wrote to memory of 2984 3576 cmd.exe attrib.exe PID 3576 wrote to memory of 2984 3576 cmd.exe attrib.exe PID 1560 wrote to memory of 3488 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 3488 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 3488 1560 cmd.exe PING.EXE PID 3144 wrote to memory of 5068 3144 cmd.exe attrib.exe PID 3144 wrote to memory of 5068 3144 cmd.exe attrib.exe PID 3144 wrote to memory of 5068 3144 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2984 attrib.exe 5068 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\winlogon.exeFilesize
380KB
MD523f5da47d1e3320198797ec21026ff20
SHA14d0c77335a3f00cdd266d384913072701795ce42
SHA256c27d63aaaab8a73807dcc5cfc8d4ea41759da0a2a5aae290a1acf0fd00481c24
SHA512f4f35e2f89840cf4a09570d4ff6ea916eb2339bc6ece8156544c112777efeeb25fc9017fc03ab9b2178f90dbc000bfe7bfa280878056d0ca1ce2371c830e49fa
-
memory/2108-3-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2108-2-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2108-4-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2108-5-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2108-6-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2108-7-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2108-67-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB