Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 20:46
Static task
static1
Behavioral task
behavioral1
Sample
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
-
Size
769KB
-
MD5
2626e3ceb0a5959eb1a4eafe724234ad
-
SHA1
60410283e2430c9667e2d3c58da0f94ed4dd9bb3
-
SHA256
7c3b108ec6887eea992b1883c8640a8f42aa5826eeceb3336982b879ed350077
-
SHA512
022434bdc0b4c039d4cdd11da7d8a14ad9612d13f22f4ded3e5191f0734421cb052e9c7f16434b229cacad6133b5ba397e6c5e08c1bb285f02e78c8327c20ac5
-
SSDEEP
12288:g72bnuJ2372bnuJ2K72bnuJ2372bnuJ24D:g72zV72zQ72zV72zO
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exeWScript.exeWScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KGOEYKGQ = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KGOEYKGQ = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KGOEYKGQ = "W_X_C.bat" WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
Processes:
avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 3584 avscan.exe 2592 avscan.exe 2060 hosts.exe 2728 hosts.exe 2480 avscan.exe 4896 hosts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
Processes:
REG.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exedescription ioc process File created C:\windows\W_X_C.vbs 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe File created \??\c:\windows\W_X_C.bat 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe File opened for modification C:\Windows\hosts.exe 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.execmd.execmd.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 9 IoCs
Processes:
REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exepid process 464 REG.exe 1964 REG.exe 4216 REG.exe 4908 REG.exe 3140 REG.exe 2436 REG.exe 3992 REG.exe 2804 REG.exe 3996 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
avscan.exehosts.exepid process 3584 avscan.exe 2060 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 1800 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe 3584 avscan.exe 2592 avscan.exe 2060 hosts.exe 2728 hosts.exe 2480 avscan.exe 4896 hosts.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.execmd.execmd.exehosts.execmd.exedescription pid process target process PID 1800 wrote to memory of 3996 1800 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe REG.exe PID 1800 wrote to memory of 3996 1800 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe REG.exe PID 1800 wrote to memory of 3996 1800 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe REG.exe PID 1800 wrote to memory of 3584 1800 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe avscan.exe PID 1800 wrote to memory of 3584 1800 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe avscan.exe PID 1800 wrote to memory of 3584 1800 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe avscan.exe PID 3584 wrote to memory of 2592 3584 avscan.exe avscan.exe PID 3584 wrote to memory of 2592 3584 avscan.exe avscan.exe PID 3584 wrote to memory of 2592 3584 avscan.exe avscan.exe PID 3584 wrote to memory of 2988 3584 avscan.exe cmd.exe PID 3584 wrote to memory of 2988 3584 avscan.exe cmd.exe PID 3584 wrote to memory of 2988 3584 avscan.exe cmd.exe PID 1800 wrote to memory of 2076 1800 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe cmd.exe PID 1800 wrote to memory of 2076 1800 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe cmd.exe PID 1800 wrote to memory of 2076 1800 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe cmd.exe PID 2988 wrote to memory of 2060 2988 cmd.exe hosts.exe PID 2988 wrote to memory of 2060 2988 cmd.exe hosts.exe PID 2988 wrote to memory of 2060 2988 cmd.exe hosts.exe PID 2076 wrote to memory of 2728 2076 cmd.exe hosts.exe PID 2076 wrote to memory of 2728 2076 cmd.exe hosts.exe PID 2076 wrote to memory of 2728 2076 cmd.exe hosts.exe PID 2060 wrote to memory of 2480 2060 hosts.exe avscan.exe PID 2060 wrote to memory of 2480 2060 hosts.exe avscan.exe PID 2060 wrote to memory of 2480 2060 hosts.exe avscan.exe PID 2060 wrote to memory of 5052 2060 hosts.exe cmd.exe PID 2060 wrote to memory of 5052 2060 hosts.exe cmd.exe PID 2060 wrote to memory of 5052 2060 hosts.exe cmd.exe PID 2076 wrote to memory of 792 2076 cmd.exe WScript.exe PID 2076 wrote to memory of 792 2076 cmd.exe WScript.exe PID 2076 wrote to memory of 792 2076 cmd.exe WScript.exe PID 2988 wrote to memory of 2424 2988 cmd.exe WScript.exe PID 2988 wrote to memory of 2424 2988 cmd.exe WScript.exe PID 2988 wrote to memory of 2424 2988 cmd.exe WScript.exe PID 5052 wrote to memory of 4896 5052 cmd.exe hosts.exe PID 5052 wrote to memory of 4896 5052 cmd.exe hosts.exe PID 5052 wrote to memory of 4896 5052 cmd.exe hosts.exe PID 5052 wrote to memory of 5044 5052 cmd.exe WScript.exe PID 5052 wrote to memory of 5044 5052 cmd.exe WScript.exe PID 5052 wrote to memory of 5044 5052 cmd.exe WScript.exe PID 3584 wrote to memory of 4216 3584 avscan.exe REG.exe PID 3584 wrote to memory of 4216 3584 avscan.exe REG.exe PID 3584 wrote to memory of 4216 3584 avscan.exe REG.exe PID 2060 wrote to memory of 4908 2060 hosts.exe REG.exe PID 2060 wrote to memory of 4908 2060 hosts.exe REG.exe PID 2060 wrote to memory of 4908 2060 hosts.exe REG.exe PID 3584 wrote to memory of 3140 3584 avscan.exe REG.exe PID 3584 wrote to memory of 3140 3584 avscan.exe REG.exe PID 3584 wrote to memory of 3140 3584 avscan.exe REG.exe PID 2060 wrote to memory of 2436 2060 hosts.exe REG.exe PID 2060 wrote to memory of 2436 2060 hosts.exe REG.exe PID 2060 wrote to memory of 2436 2060 hosts.exe REG.exe PID 3584 wrote to memory of 1964 3584 avscan.exe REG.exe PID 3584 wrote to memory of 1964 3584 avscan.exe REG.exe PID 3584 wrote to memory of 1964 3584 avscan.exe REG.exe PID 2060 wrote to memory of 3992 2060 hosts.exe REG.exe PID 2060 wrote to memory of 3992 2060 hosts.exe REG.exe PID 2060 wrote to memory of 3992 2060 hosts.exe REG.exe PID 3584 wrote to memory of 2804 3584 avscan.exe REG.exe PID 3584 wrote to memory of 2804 3584 avscan.exe REG.exe PID 3584 wrote to memory of 2804 3584 avscan.exe REG.exe PID 2060 wrote to memory of 464 2060 hosts.exe REG.exe PID 2060 wrote to memory of 464 2060 hosts.exe REG.exe PID 2060 wrote to memory of 464 2060 hosts.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeFilesize
769KB
MD5b2a643c81259e9b93b0d876aad174c1e
SHA1527fa60a31e1bf620a46db9d549349265d89f071
SHA2569583639b101e4939bff1592c6fa54e49ab1e0bb68a62a40834debe27e8d0bdc2
SHA512aaf21617445451425dc11760664d206ae5f61eeeca340d1b105af8dc28b3e8a3b2b1970e07b0b671bf37ce41dcbb83677828bf8d468c52da3e72d818bfab58c5
-
C:\Windows\W_X_C.vbsFilesize
195B
MD568948c74a3d8b365ad157fb7602ce4d3
SHA19c962e56c2f9b5595e8292c2e16aa398942ca5c0
SHA25678e4c3ff9b1f0ba58586e92a519f8d061ca414ef66cb92e2422f02e21678a4ae
SHA512cdd0ef6665159130e42fcbb4ce72ae72c133a219465939a21407914ff4a1eaef0935499e1a7f2558821e967ce941f7314e7cdcba7e8f559598f3fbf26139ebbe
-
C:\Windows\hosts.exeFilesize
769KB
MD5e39e2cc35ccbec8533c1c1a3815723c8
SHA1dd5c8bf74de367100e983b6a261118a1d68efd8a
SHA2567d26438ec44dce6f4072c4c2be0679b5ae605225fafdec697fc0fb7bc2a433b2
SHA51217ee2a371d4c6dfbd86980cfba7a5667bbc580dfc3d3cd24b9d0b58eb04196dfffa3279d59dff4c436386af338085bd74bf9b3975e09bf635a44803f56bc8f67
-
\??\c:\windows\W_X_C.batFilesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b