Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
-
Size
2.9MB
-
MD5
26bb23d8ead51c4caf1238b2062f2b5c
-
SHA1
a60b7e4f3778eef0466fad85fc47786d27343445
-
SHA256
0d416c79c2d70388eafd89e7bb678a43df3ca3b0288a1f8d501fefaade44e1fb
-
SHA512
8c0bc0f9cb94a0c525511212f1ab307ad718efaa793ba9a9b27090910fbe9fb79fe810e38d98247899036bee3a0e7a39d4e951b6f7113e665c9995d246dc442f
-
SSDEEP
24576:VlMstY+vdjNHW2n2W0p5cozJTfNn5RA3uUDy/UroKpBTnltrCeGJfWHmLNo6oUSs:icCnM
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot2.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\config32\config32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\config32\\config32.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 3 IoCs
Processes:
config32.execonfig32.execonfig32.exepid process 2716 config32.exe 2516 config32.exe 2540 config32.exe -
Loads dropped DLL 5 IoCs
Processes:
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exepid process 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2540-47-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-50-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-51-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-52-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-59-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-61-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-64-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-66-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-68-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-71-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-73-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-75-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-78-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-80-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-82-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-85-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-87-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2540-89-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key Name = "C:\\Users\\Admin\\AppData\\Roaming\\config32\\config32.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
config32.exedescription pid process target process PID 2716 set thread context of 2516 2716 config32.exe config32.exe PID 2716 set thread context of 2540 2716 config32.exe config32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 2480 reg.exe 2580 reg.exe 2784 reg.exe 2676 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
config32.execonfig32.exedescription pid process Token: SeDebugPrivilege 2516 config32.exe Token: 1 2540 config32.exe Token: SeCreateTokenPrivilege 2540 config32.exe Token: SeAssignPrimaryTokenPrivilege 2540 config32.exe Token: SeLockMemoryPrivilege 2540 config32.exe Token: SeIncreaseQuotaPrivilege 2540 config32.exe Token: SeMachineAccountPrivilege 2540 config32.exe Token: SeTcbPrivilege 2540 config32.exe Token: SeSecurityPrivilege 2540 config32.exe Token: SeTakeOwnershipPrivilege 2540 config32.exe Token: SeLoadDriverPrivilege 2540 config32.exe Token: SeSystemProfilePrivilege 2540 config32.exe Token: SeSystemtimePrivilege 2540 config32.exe Token: SeProfSingleProcessPrivilege 2540 config32.exe Token: SeIncBasePriorityPrivilege 2540 config32.exe Token: SeCreatePagefilePrivilege 2540 config32.exe Token: SeCreatePermanentPrivilege 2540 config32.exe Token: SeBackupPrivilege 2540 config32.exe Token: SeRestorePrivilege 2540 config32.exe Token: SeShutdownPrivilege 2540 config32.exe Token: SeDebugPrivilege 2540 config32.exe Token: SeAuditPrivilege 2540 config32.exe Token: SeSystemEnvironmentPrivilege 2540 config32.exe Token: SeChangeNotifyPrivilege 2540 config32.exe Token: SeRemoteShutdownPrivilege 2540 config32.exe Token: SeUndockPrivilege 2540 config32.exe Token: SeSyncAgentPrivilege 2540 config32.exe Token: SeEnableDelegationPrivilege 2540 config32.exe Token: SeManageVolumePrivilege 2540 config32.exe Token: SeImpersonatePrivilege 2540 config32.exe Token: SeCreateGlobalPrivilege 2540 config32.exe Token: 31 2540 config32.exe Token: 32 2540 config32.exe Token: 33 2540 config32.exe Token: 34 2540 config32.exe Token: 35 2540 config32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.execonfig32.execonfig32.execonfig32.exepid process 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe 2716 config32.exe 2516 config32.exe 2540 config32.exe 2540 config32.exe 2540 config32.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.execmd.execonfig32.execonfig32.execmd.execmd.execmd.execmd.exedescription pid process target process PID 348 wrote to memory of 2348 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe cmd.exe PID 348 wrote to memory of 2348 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe cmd.exe PID 348 wrote to memory of 2348 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe cmd.exe PID 348 wrote to memory of 2348 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 2692 2348 cmd.exe reg.exe PID 2348 wrote to memory of 2692 2348 cmd.exe reg.exe PID 2348 wrote to memory of 2692 2348 cmd.exe reg.exe PID 2348 wrote to memory of 2692 2348 cmd.exe reg.exe PID 348 wrote to memory of 2716 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe config32.exe PID 348 wrote to memory of 2716 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe config32.exe PID 348 wrote to memory of 2716 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe config32.exe PID 348 wrote to memory of 2716 348 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe config32.exe PID 2716 wrote to memory of 2516 2716 config32.exe config32.exe PID 2716 wrote to memory of 2516 2716 config32.exe config32.exe PID 2716 wrote to memory of 2516 2716 config32.exe config32.exe PID 2716 wrote to memory of 2516 2716 config32.exe config32.exe PID 2716 wrote to memory of 2516 2716 config32.exe config32.exe PID 2716 wrote to memory of 2516 2716 config32.exe config32.exe PID 2716 wrote to memory of 2516 2716 config32.exe config32.exe PID 2716 wrote to memory of 2516 2716 config32.exe config32.exe PID 2716 wrote to memory of 2540 2716 config32.exe config32.exe PID 2716 wrote to memory of 2540 2716 config32.exe config32.exe PID 2716 wrote to memory of 2540 2716 config32.exe config32.exe PID 2716 wrote to memory of 2540 2716 config32.exe config32.exe PID 2716 wrote to memory of 2540 2716 config32.exe config32.exe PID 2716 wrote to memory of 2540 2716 config32.exe config32.exe PID 2716 wrote to memory of 2540 2716 config32.exe config32.exe PID 2716 wrote to memory of 2540 2716 config32.exe config32.exe PID 2716 wrote to memory of 2540 2716 config32.exe config32.exe PID 2540 wrote to memory of 2564 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2564 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2564 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2564 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2916 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2916 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2916 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2916 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2968 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2968 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2968 2540 config32.exe cmd.exe PID 2540 wrote to memory of 2968 2540 config32.exe cmd.exe PID 2540 wrote to memory of 1232 2540 config32.exe cmd.exe PID 2540 wrote to memory of 1232 2540 config32.exe cmd.exe PID 2540 wrote to memory of 1232 2540 config32.exe cmd.exe PID 2540 wrote to memory of 1232 2540 config32.exe cmd.exe PID 2916 wrote to memory of 2480 2916 cmd.exe reg.exe PID 2916 wrote to memory of 2480 2916 cmd.exe reg.exe PID 2916 wrote to memory of 2480 2916 cmd.exe reg.exe PID 2916 wrote to memory of 2480 2916 cmd.exe reg.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2968 wrote to memory of 2580 2968 cmd.exe reg.exe PID 2564 wrote to memory of 2784 2564 cmd.exe reg.exe PID 2564 wrote to memory of 2784 2564 cmd.exe reg.exe PID 2564 wrote to memory of 2784 2564 cmd.exe reg.exe PID 2564 wrote to memory of 2784 2564 cmd.exe reg.exe PID 1232 wrote to memory of 2676 1232 cmd.exe reg.exe PID 1232 wrote to memory of 2676 1232 cmd.exe reg.exe PID 1232 wrote to memory of 2676 1232 cmd.exe reg.exe PID 1232 wrote to memory of 2676 1232 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259399788.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Key Name" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config32\config32.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\config32\config32.exe"C:\Users\Admin\AppData\Roaming\config32\config32.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\config32\config32.exe"C:\Users\Admin\AppData\Roaming\config32\config32.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\config32\config32.exe"C:\Users\Admin\AppData\Roaming\config32\config32.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\config32\config32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config32\config32.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\config32\config32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config32\config32.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot2.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot2.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259399788.batFilesize
145B
MD5b77388fc111c6b22d1bb7f3ef2215e3e
SHA11cf4c6479bf818854017ee9f52d268817e2d5ad9
SHA25648dbb00f5aa2bbef24ee8a2b26bba729da3cf1e8cefd6a5eca52d4ecdff6a763
SHA51287384d5b38dabc95f25f24e92379add06b4fa88aa7bac31c74129a3ff7140498c6a00825a9407887c038b234c9346432fed322fd6afda0febe4b371b591bb54c
-
\Users\Admin\AppData\Roaming\config32\config32.exeFilesize
2.9MB
MD52d7c33289a5e547e5c36ce171d87b5bd
SHA1af5000dd7e045f5183638d8eaf1afa90827f7053
SHA2561264a9e23a3f07970691cda72a7329f9efa8ef73cb392511a1351ce67ccfa182
SHA512a6ff125de90a564bcba534ab89a4a843f416379917cbc6861413cf28cd6ea99b762cbf45a5042d929c9b5bfdb6a3c2c57044a2350309ace00ea4a41dbb77d887
-
memory/2516-58-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2516-44-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2516-42-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2516-41-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2516-38-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2540-61-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-71-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-52-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-50-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-59-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-47-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-64-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-66-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-68-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-51-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-73-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-75-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-78-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-80-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-82-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-85-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-87-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2540-89-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB