Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
-
Size
2.9MB
-
MD5
26bb23d8ead51c4caf1238b2062f2b5c
-
SHA1
a60b7e4f3778eef0466fad85fc47786d27343445
-
SHA256
0d416c79c2d70388eafd89e7bb678a43df3ca3b0288a1f8d501fefaade44e1fb
-
SHA512
8c0bc0f9cb94a0c525511212f1ab307ad718efaa793ba9a9b27090910fbe9fb79fe810e38d98247899036bee3a0e7a39d4e951b6f7113e665c9995d246dc442f
-
SSDEEP
24576:VlMstY+vdjNHW2n2W0p5cozJTfNn5RA3uUDy/UroKpBTnltrCeGJfWHmLNo6oUSs:icCnM
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\config32\config32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\config32\\config32.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot2.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
config32.execonfig32.execonfig32.exepid process 1172 config32.exe 2168 config32.exe 780 config32.exe -
Processes:
resource yara_rule behavioral2/memory/780-29-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-35-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-33-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-42-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-44-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-47-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-49-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-51-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-56-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-61-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-63-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/780-70-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key Name = "C:\\Users\\Admin\\AppData\\Roaming\\config32\\config32.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
config32.exedescription pid process target process PID 1172 set thread context of 2168 1172 config32.exe config32.exe PID 1172 set thread context of 780 1172 config32.exe config32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 1296 reg.exe 2344 reg.exe 2472 reg.exe 880 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
config32.execonfig32.exedescription pid process Token: SeDebugPrivilege 2168 config32.exe Token: 1 780 config32.exe Token: SeCreateTokenPrivilege 780 config32.exe Token: SeAssignPrimaryTokenPrivilege 780 config32.exe Token: SeLockMemoryPrivilege 780 config32.exe Token: SeIncreaseQuotaPrivilege 780 config32.exe Token: SeMachineAccountPrivilege 780 config32.exe Token: SeTcbPrivilege 780 config32.exe Token: SeSecurityPrivilege 780 config32.exe Token: SeTakeOwnershipPrivilege 780 config32.exe Token: SeLoadDriverPrivilege 780 config32.exe Token: SeSystemProfilePrivilege 780 config32.exe Token: SeSystemtimePrivilege 780 config32.exe Token: SeProfSingleProcessPrivilege 780 config32.exe Token: SeIncBasePriorityPrivilege 780 config32.exe Token: SeCreatePagefilePrivilege 780 config32.exe Token: SeCreatePermanentPrivilege 780 config32.exe Token: SeBackupPrivilege 780 config32.exe Token: SeRestorePrivilege 780 config32.exe Token: SeShutdownPrivilege 780 config32.exe Token: SeDebugPrivilege 780 config32.exe Token: SeAuditPrivilege 780 config32.exe Token: SeSystemEnvironmentPrivilege 780 config32.exe Token: SeChangeNotifyPrivilege 780 config32.exe Token: SeRemoteShutdownPrivilege 780 config32.exe Token: SeUndockPrivilege 780 config32.exe Token: SeSyncAgentPrivilege 780 config32.exe Token: SeEnableDelegationPrivilege 780 config32.exe Token: SeManageVolumePrivilege 780 config32.exe Token: SeImpersonatePrivilege 780 config32.exe Token: SeCreateGlobalPrivilege 780 config32.exe Token: 31 780 config32.exe Token: 32 780 config32.exe Token: 33 780 config32.exe Token: 34 780 config32.exe Token: 35 780 config32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.execonfig32.execonfig32.execonfig32.exepid process 3948 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe 1172 config32.exe 2168 config32.exe 780 config32.exe 780 config32.exe 780 config32.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.execmd.execonfig32.execonfig32.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3948 wrote to memory of 4772 3948 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe cmd.exe PID 3948 wrote to memory of 4772 3948 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe cmd.exe PID 3948 wrote to memory of 4772 3948 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe cmd.exe PID 4772 wrote to memory of 4840 4772 cmd.exe reg.exe PID 4772 wrote to memory of 4840 4772 cmd.exe reg.exe PID 4772 wrote to memory of 4840 4772 cmd.exe reg.exe PID 3948 wrote to memory of 1172 3948 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe config32.exe PID 3948 wrote to memory of 1172 3948 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe config32.exe PID 3948 wrote to memory of 1172 3948 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe config32.exe PID 1172 wrote to memory of 2168 1172 config32.exe config32.exe PID 1172 wrote to memory of 2168 1172 config32.exe config32.exe PID 1172 wrote to memory of 2168 1172 config32.exe config32.exe PID 1172 wrote to memory of 2168 1172 config32.exe config32.exe PID 1172 wrote to memory of 2168 1172 config32.exe config32.exe PID 1172 wrote to memory of 2168 1172 config32.exe config32.exe PID 1172 wrote to memory of 2168 1172 config32.exe config32.exe PID 1172 wrote to memory of 780 1172 config32.exe config32.exe PID 1172 wrote to memory of 780 1172 config32.exe config32.exe PID 1172 wrote to memory of 780 1172 config32.exe config32.exe PID 1172 wrote to memory of 780 1172 config32.exe config32.exe PID 1172 wrote to memory of 780 1172 config32.exe config32.exe PID 1172 wrote to memory of 780 1172 config32.exe config32.exe PID 1172 wrote to memory of 780 1172 config32.exe config32.exe PID 1172 wrote to memory of 780 1172 config32.exe config32.exe PID 780 wrote to memory of 4088 780 config32.exe cmd.exe PID 780 wrote to memory of 4088 780 config32.exe cmd.exe PID 780 wrote to memory of 4088 780 config32.exe cmd.exe PID 780 wrote to memory of 4316 780 config32.exe cmd.exe PID 780 wrote to memory of 4316 780 config32.exe cmd.exe PID 780 wrote to memory of 4316 780 config32.exe cmd.exe PID 780 wrote to memory of 676 780 config32.exe cmd.exe PID 780 wrote to memory of 676 780 config32.exe cmd.exe PID 780 wrote to memory of 676 780 config32.exe cmd.exe PID 780 wrote to memory of 1588 780 config32.exe cmd.exe PID 780 wrote to memory of 1588 780 config32.exe cmd.exe PID 780 wrote to memory of 1588 780 config32.exe cmd.exe PID 676 wrote to memory of 1296 676 cmd.exe reg.exe PID 676 wrote to memory of 1296 676 cmd.exe reg.exe PID 676 wrote to memory of 1296 676 cmd.exe reg.exe PID 1588 wrote to memory of 2472 1588 cmd.exe reg.exe PID 1588 wrote to memory of 2472 1588 cmd.exe reg.exe PID 1588 wrote to memory of 2472 1588 cmd.exe reg.exe PID 4088 wrote to memory of 2344 4088 cmd.exe reg.exe PID 4088 wrote to memory of 2344 4088 cmd.exe reg.exe PID 4088 wrote to memory of 2344 4088 cmd.exe reg.exe PID 4316 wrote to memory of 880 4316 cmd.exe reg.exe PID 4316 wrote to memory of 880 4316 cmd.exe reg.exe PID 4316 wrote to memory of 880 4316 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240626656.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Key Name" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config32\config32.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\config32\config32.exe"C:\Users\Admin\AppData\Roaming\config32\config32.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\config32\config32.exe"C:\Users\Admin\AppData\Roaming\config32\config32.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\config32\config32.exe"C:\Users\Admin\AppData\Roaming\config32\config32.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\config32\config32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config32\config32.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\config32\config32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config32\config32.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot2.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot2.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240626656.batFilesize
145B
MD5b77388fc111c6b22d1bb7f3ef2215e3e
SHA11cf4c6479bf818854017ee9f52d268817e2d5ad9
SHA25648dbb00f5aa2bbef24ee8a2b26bba729da3cf1e8cefd6a5eca52d4ecdff6a763
SHA51287384d5b38dabc95f25f24e92379add06b4fa88aa7bac31c74129a3ff7140498c6a00825a9407887c038b234c9346432fed322fd6afda0febe4b371b591bb54c
-
C:\Users\Admin\AppData\Roaming\config32\config32.exeFilesize
2.9MB
MD52d7c33289a5e547e5c36ce171d87b5bd
SHA1af5000dd7e045f5183638d8eaf1afa90827f7053
SHA2561264a9e23a3f07970691cda72a7329f9efa8ef73cb392511a1351ce67ccfa182
SHA512a6ff125de90a564bcba534ab89a4a843f416379917cbc6861413cf28cd6ea99b762cbf45a5042d929c9b5bfdb6a3c2c57044a2350309ace00ea4a41dbb77d887
-
memory/780-47-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-56-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-35-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-33-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-70-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-63-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-61-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-29-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-42-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-44-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-51-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/780-49-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/2168-20-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2168-41-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2168-23-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2168-24-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2168-27-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB