Analysis
-
max time kernel
114s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
-
Size
350KB
-
MD5
2619f1bcec24666f7ba94f5077474d88
-
SHA1
f1596187510b18584d56c8f9f861cb87f62fe0fe
-
SHA256
30bc4b2410e5caa5cd4675c884e2010eab617f4860bddf0959d62d620d62025f
-
SHA512
252e70ae912b61528cd0904d8974e6a33b69de05c423e532d76c5c6679f970c1a2eab8b7978f46b415746ec0fa1306e689c66ce28df77e662f7206960c15c37f
-
SSDEEP
6144:gDCwfG1bnxLERR9sadDCwfG1bnxLERR9sat:g72bntEL9/d72bntEL9/t
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exeWScript.exeWScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MVFYZPLM = "W_X_C.bat" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MVFYZPLM = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MVFYZPLM = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe -
Executes dropped EXE 6 IoCs
Processes:
avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 2784 avscan.exe 2760 avscan.exe 2684 hosts.exe 2628 hosts.exe 2704 avscan.exe 2372 hosts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
Processes:
REG.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend REG.exe -
Loads dropped DLL 5 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exepid process 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe 2784 avscan.exe 2684 hosts.exe 2684 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exedescription ioc process File opened for modification C:\Windows\hosts.exe 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe File created C:\windows\W_X_C.vbs 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe File created \??\c:\windows\W_X_C.bat 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exepid process 1692 REG.exe 1472 REG.exe 2284 REG.exe 956 REG.exe 2900 REG.exe 1400 REG.exe 1752 REG.exe 2312 REG.exe 1564 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
avscan.exehosts.exepid process 2784 avscan.exe 2684 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe 2784 avscan.exe 2760 avscan.exe 2684 hosts.exe 2628 hosts.exe 2704 avscan.exe 2372 hosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.execmd.execmd.exehosts.execmd.exedescription pid process target process PID 2556 wrote to memory of 2900 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe REG.exe PID 2556 wrote to memory of 2900 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe REG.exe PID 2556 wrote to memory of 2900 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe REG.exe PID 2556 wrote to memory of 2900 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe REG.exe PID 2556 wrote to memory of 2784 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe avscan.exe PID 2556 wrote to memory of 2784 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe avscan.exe PID 2556 wrote to memory of 2784 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe avscan.exe PID 2556 wrote to memory of 2784 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe avscan.exe PID 2784 wrote to memory of 2760 2784 avscan.exe avscan.exe PID 2784 wrote to memory of 2760 2784 avscan.exe avscan.exe PID 2784 wrote to memory of 2760 2784 avscan.exe avscan.exe PID 2784 wrote to memory of 2760 2784 avscan.exe avscan.exe PID 2784 wrote to memory of 2848 2784 avscan.exe cmd.exe PID 2784 wrote to memory of 2848 2784 avscan.exe cmd.exe PID 2784 wrote to memory of 2848 2784 avscan.exe cmd.exe PID 2784 wrote to memory of 2848 2784 avscan.exe cmd.exe PID 2556 wrote to memory of 2748 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe cmd.exe PID 2556 wrote to memory of 2748 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe cmd.exe PID 2556 wrote to memory of 2748 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe cmd.exe PID 2556 wrote to memory of 2748 2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe cmd.exe PID 2748 wrote to memory of 2684 2748 cmd.exe hosts.exe PID 2748 wrote to memory of 2684 2748 cmd.exe hosts.exe PID 2748 wrote to memory of 2684 2748 cmd.exe hosts.exe PID 2748 wrote to memory of 2684 2748 cmd.exe hosts.exe PID 2848 wrote to memory of 2628 2848 cmd.exe hosts.exe PID 2848 wrote to memory of 2628 2848 cmd.exe hosts.exe PID 2848 wrote to memory of 2628 2848 cmd.exe hosts.exe PID 2848 wrote to memory of 2628 2848 cmd.exe hosts.exe PID 2684 wrote to memory of 2704 2684 hosts.exe avscan.exe PID 2684 wrote to memory of 2704 2684 hosts.exe avscan.exe PID 2684 wrote to memory of 2704 2684 hosts.exe avscan.exe PID 2684 wrote to memory of 2704 2684 hosts.exe avscan.exe PID 2684 wrote to memory of 596 2684 hosts.exe cmd.exe PID 2684 wrote to memory of 596 2684 hosts.exe cmd.exe PID 2684 wrote to memory of 596 2684 hosts.exe cmd.exe PID 2684 wrote to memory of 596 2684 hosts.exe cmd.exe PID 2848 wrote to memory of 2052 2848 cmd.exe WScript.exe PID 2848 wrote to memory of 2052 2848 cmd.exe WScript.exe PID 2848 wrote to memory of 2052 2848 cmd.exe WScript.exe PID 2848 wrote to memory of 2052 2848 cmd.exe WScript.exe PID 2748 wrote to memory of 2528 2748 cmd.exe WScript.exe PID 2748 wrote to memory of 2528 2748 cmd.exe WScript.exe PID 2748 wrote to memory of 2528 2748 cmd.exe WScript.exe PID 2748 wrote to memory of 2528 2748 cmd.exe WScript.exe PID 596 wrote to memory of 2372 596 cmd.exe hosts.exe PID 596 wrote to memory of 2372 596 cmd.exe hosts.exe PID 596 wrote to memory of 2372 596 cmd.exe hosts.exe PID 596 wrote to memory of 2372 596 cmd.exe hosts.exe PID 596 wrote to memory of 2700 596 cmd.exe WScript.exe PID 596 wrote to memory of 2700 596 cmd.exe WScript.exe PID 596 wrote to memory of 2700 596 cmd.exe WScript.exe PID 596 wrote to memory of 2700 596 cmd.exe WScript.exe PID 2784 wrote to memory of 1400 2784 avscan.exe REG.exe PID 2784 wrote to memory of 1400 2784 avscan.exe REG.exe PID 2784 wrote to memory of 1400 2784 avscan.exe REG.exe PID 2784 wrote to memory of 1400 2784 avscan.exe REG.exe PID 2684 wrote to memory of 1752 2684 hosts.exe REG.exe PID 2684 wrote to memory of 1752 2684 hosts.exe REG.exe PID 2684 wrote to memory of 1752 2684 hosts.exe REG.exe PID 2684 wrote to memory of 1752 2684 hosts.exe REG.exe PID 2684 wrote to memory of 2312 2684 hosts.exe REG.exe PID 2684 wrote to memory of 2312 2684 hosts.exe REG.exe PID 2684 wrote to memory of 2312 2684 hosts.exe REG.exe PID 2684 wrote to memory of 2312 2684 hosts.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"5⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
2.4MB
MD546ebaa9a2201cd34ae888953117b1255
SHA13fe87a5838f8d090e60cbc59dca7e77b4d8a1cb3
SHA256eaf949752d2d82348dc830552bc3e4592e28b603a65747219825ecea31a0f840
SHA512469dbf4191322e96d5b1105eaed3b20a72e9db446567b1a6e38ad3ebd849ae08e0c438d4793cc415440e7146e2f2389211ce7c23d3ede690f0886cdfb66e17a8
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
749KB
MD53dd39c319aa0364b25ad3d695a0339b8
SHA145753a3acd4610ad422b75ac1b1c2a3a227a8e36
SHA25637fe299b5f6ef89dcb7557ba30b64c08f09d647594ab95c91b2cc6f87057a26c
SHA5125119748d96b8af9a0b4107a9091eeca5571f8422a11ecd8ed9cf8f7a0c6eba2f8e6302fcaf5cd6880f0f213538f078b6044c42759c4e68988cc9009365034b00
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
1.4MB
MD579618f896dd57bc1a06969f52c0dc595
SHA1c8a666558528c1e6b0a448bb2ae91df42e393118
SHA256475f8e51d233fc2d0c42b0dd22288c18512141837b035cce6b1926e16778e1be
SHA5126ce2e9118306ee6bd10803311ab7f976fe3ed064861722ac3adb08864269cea92738994900883b42db8eb22e96d7b054be7cc8ad69a2de28e5e77000b6cc3836
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
1.8MB
MD54e95a0bcce580d162ff04a48336d81de
SHA162f095f1c9198d40f0a6a72956145af48861527f
SHA256366044039e7fe0c7494472dac8c2bf782cba6a7b7c8ba2e041cb744b3f578f82
SHA512254d5051087b0f46e4888678dad7e4b892f6899484aca43b265e29191cc75a4090eaf20ab717e3555ca68838667355baa84a80fc9fecc3d6e797eef77ce1939b
-
C:\Windows\W_X_C.vbsFilesize
195B
MD53866db84dfa462e410c0f1441287ebb4
SHA140913aea459b1cbc64340e6c6e6442c769404d98
SHA25639adfcf7668397709c8fb37051e563530b71166d9c59e7e6957a1a2d46e4a162
SHA5125ede5b6e876e05c9262ba682937a5ae9a55c4cacd7940b1a5ba7c622d473b19858b8df4f3fb60ca7fb4d8cf1f0cd6f3f1e84aa1c9a2697643276e4fcf4a818ec
-
C:\Windows\hosts.exeFilesize
350KB
MD59706cddbe3c1c93d290851a1c4af7cb7
SHA12e9b2bfb095b5fb0a2a63336951aa6152bbeaa24
SHA256874b8b7b460fb11f92cba922269036a4302fb6c6f0290bbb496b6aaf9d74f670
SHA512d13723589492fe050c358bee0eb7f23bc79bf629e76c3a39502e591684fb8cbef07968cd2389a26ad81289cb61e791129da16f44182944be2194f3a5028a90f6
-
\??\c:\windows\W_X_C.batFilesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b
-
\Users\Admin\AppData\Local\Temp\avscan.exeFilesize
350KB
MD5dc6da22864eaeac09cbb7344a0937fa2
SHA154b86fb4c81b4794a1cc9113c31e7fb515ba0e41
SHA2565af7c082d59a78e593bee9638d030d5e0c83e065527262857785377301d0b0c3
SHA51244b560f10224c91cdc95bb4034491c503f60166ea7b7f7eccfee31af04a38e399bc144e5ecbd9f2918b896d96dc92d7b9a2856a245cc1bfa30bff7bdf048dec8
-
memory/2372-68-0x0000000000230000-0x0000000000240000-memory.dmpFilesize
64KB
-
memory/2748-62-0x00000000021E0000-0x00000000022E0000-memory.dmpFilesize
1024KB
-
memory/2748-63-0x00000000021E0000-0x00000000022E0000-memory.dmpFilesize
1024KB