Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
-
Size
350KB
-
MD5
2619f1bcec24666f7ba94f5077474d88
-
SHA1
f1596187510b18584d56c8f9f861cb87f62fe0fe
-
SHA256
30bc4b2410e5caa5cd4675c884e2010eab617f4860bddf0959d62d620d62025f
-
SHA512
252e70ae912b61528cd0904d8974e6a33b69de05c423e532d76c5c6679f970c1a2eab8b7978f46b415746ec0fa1306e689c66ce28df77e662f7206960c15c37f
-
SSDEEP
6144:gDCwfG1bnxLERR9sadDCwfG1bnxLERR9sat:g72bntEL9/d72bntEL9/t
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
Processes:
avscan.exehosts.exe2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exeWScript.exeWScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
Processes:
avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 1976 avscan.exe 4368 avscan.exe 1856 hosts.exe 1992 hosts.exe 3252 avscan.exe 5096 hosts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
Processes:
REG.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys REG.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
avscan.exehosts.exe2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe -
Drops file in Windows directory 5 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exedescription ioc process File created C:\windows\W_X_C.vbs 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe File created \??\c:\windows\W_X_C.bat 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe File opened for modification C:\Windows\hosts.exe 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
Processes:
cmd.exe2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.execmd.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 9 IoCs
Processes:
REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exepid process 2900 REG.exe 3956 REG.exe 4764 REG.exe 2972 REG.exe 4432 REG.exe 2844 REG.exe 2560 REG.exe 2472 REG.exe 2280 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
avscan.exehosts.exepid process 1976 avscan.exe 1992 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 2280 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe 1976 avscan.exe 4368 avscan.exe 1856 hosts.exe 1992 hosts.exe 3252 avscan.exe 5096 hosts.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.execmd.execmd.exehosts.execmd.exedescription pid process target process PID 2280 wrote to memory of 2900 2280 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe REG.exe PID 2280 wrote to memory of 2900 2280 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe REG.exe PID 2280 wrote to memory of 2900 2280 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe REG.exe PID 2280 wrote to memory of 1976 2280 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe avscan.exe PID 2280 wrote to memory of 1976 2280 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe avscan.exe PID 2280 wrote to memory of 1976 2280 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe avscan.exe PID 1976 wrote to memory of 4368 1976 avscan.exe avscan.exe PID 1976 wrote to memory of 4368 1976 avscan.exe avscan.exe PID 1976 wrote to memory of 4368 1976 avscan.exe avscan.exe PID 1976 wrote to memory of 2260 1976 avscan.exe cmd.exe PID 1976 wrote to memory of 2260 1976 avscan.exe cmd.exe PID 1976 wrote to memory of 2260 1976 avscan.exe cmd.exe PID 2280 wrote to memory of 2096 2280 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe cmd.exe PID 2280 wrote to memory of 2096 2280 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe cmd.exe PID 2280 wrote to memory of 2096 2280 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe cmd.exe PID 2260 wrote to memory of 1992 2260 cmd.exe hosts.exe PID 2260 wrote to memory of 1992 2260 cmd.exe hosts.exe PID 2260 wrote to memory of 1992 2260 cmd.exe hosts.exe PID 2096 wrote to memory of 1856 2096 cmd.exe hosts.exe PID 2096 wrote to memory of 1856 2096 cmd.exe hosts.exe PID 2096 wrote to memory of 1856 2096 cmd.exe hosts.exe PID 1992 wrote to memory of 3252 1992 hosts.exe avscan.exe PID 1992 wrote to memory of 3252 1992 hosts.exe avscan.exe PID 1992 wrote to memory of 3252 1992 hosts.exe avscan.exe PID 2096 wrote to memory of 4652 2096 cmd.exe WScript.exe PID 2096 wrote to memory of 4652 2096 cmd.exe WScript.exe PID 2096 wrote to memory of 4652 2096 cmd.exe WScript.exe PID 1992 wrote to memory of 3512 1992 hosts.exe cmd.exe PID 1992 wrote to memory of 3512 1992 hosts.exe cmd.exe PID 1992 wrote to memory of 3512 1992 hosts.exe cmd.exe PID 2260 wrote to memory of 3628 2260 cmd.exe WScript.exe PID 2260 wrote to memory of 3628 2260 cmd.exe WScript.exe PID 2260 wrote to memory of 3628 2260 cmd.exe WScript.exe PID 3512 wrote to memory of 5096 3512 cmd.exe hosts.exe PID 3512 wrote to memory of 5096 3512 cmd.exe hosts.exe PID 3512 wrote to memory of 5096 3512 cmd.exe hosts.exe PID 3512 wrote to memory of 4996 3512 cmd.exe WScript.exe PID 3512 wrote to memory of 4996 3512 cmd.exe WScript.exe PID 3512 wrote to memory of 4996 3512 cmd.exe WScript.exe PID 1976 wrote to memory of 4432 1976 avscan.exe REG.exe PID 1976 wrote to memory of 4432 1976 avscan.exe REG.exe PID 1976 wrote to memory of 4432 1976 avscan.exe REG.exe PID 1992 wrote to memory of 3956 1992 hosts.exe REG.exe PID 1992 wrote to memory of 3956 1992 hosts.exe REG.exe PID 1992 wrote to memory of 3956 1992 hosts.exe REG.exe PID 1976 wrote to memory of 2844 1976 avscan.exe REG.exe PID 1976 wrote to memory of 2844 1976 avscan.exe REG.exe PID 1976 wrote to memory of 2844 1976 avscan.exe REG.exe PID 1992 wrote to memory of 4764 1992 hosts.exe REG.exe PID 1992 wrote to memory of 4764 1992 hosts.exe REG.exe PID 1992 wrote to memory of 4764 1992 hosts.exe REG.exe PID 1976 wrote to memory of 2560 1976 avscan.exe REG.exe PID 1976 wrote to memory of 2560 1976 avscan.exe REG.exe PID 1976 wrote to memory of 2560 1976 avscan.exe REG.exe PID 1992 wrote to memory of 2972 1992 hosts.exe REG.exe PID 1992 wrote to memory of 2972 1992 hosts.exe REG.exe PID 1992 wrote to memory of 2972 1992 hosts.exe REG.exe PID 1976 wrote to memory of 2472 1976 avscan.exe REG.exe PID 1976 wrote to memory of 2472 1976 avscan.exe REG.exe PID 1976 wrote to memory of 2472 1976 avscan.exe REG.exe PID 1992 wrote to memory of 2280 1992 hosts.exe REG.exe PID 1992 wrote to memory of 2280 1992 hosts.exe REG.exe PID 1992 wrote to memory of 2280 1992 hosts.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeFilesize
350KB
MD508e45dc6201e414e60ef740e7a39bfbe
SHA12ef09265caf5ae9932a8aa17294ad5850d5b9876
SHA256bd832854abafbddaaff641a77c39844a9c844ea9e72d3603d7d0d19c6b206163
SHA51256fc77e20a7ed563968e0c2e3eedfc3e691790782eebd9688667cf45cf43a527ce735b95a4172d85b62cf4eb7e40474980aa633a50292a8ed3a7f5bce0d8dbb8
-
C:\Windows\W_X_C.vbsFilesize
195B
MD52bf5a187f48b0e3c967d35345b39cf75
SHA15dc7cfa3b9818baa039314fd49d38825a88f30f2
SHA2569676e777e8eec50aa91525d3c0ed7c17047ddf363cb28a83a474c2840cd4c7b1
SHA5121f0c2d5fadc2304f910caf7569a968b1824687cb57dd8f470dc67b8262cb009809c83ea626f2f99d9ce4e8113efb46c53b979f6dc3113433f7503ca4d119e16c
-
C:\Windows\hosts.exeFilesize
350KB
MD5b4ae433ec4f9b34cbf3109a2a2b6ec3f
SHA1098d1b5558113abc431a1a0e41704a8b0ee2f107
SHA256d62b1b5bfd1bbc1e9b24a7448ecbfd6412e1ddcf7bf216b41961234f5a5fcdef
SHA512c759d2eb0154c2bab466d4a2d990a1fb9ee6efeff95333ea6c974f03bbd2dc932cb8a346f7de207775bf28f7f0caab68ab4a20d926b7c3d3eaa91cb392df9989
-
\??\c:\windows\W_X_C.batFilesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b