0d416c79c2d70388eafd89e7bb678a43df3ca3b0288a1f8d501fefaade44e1fb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
Size

2.9MB
MD5

26bb23d8ead51c4caf1238b2062f2b5c
SHA1

a60b7e4f3778eef0466fad85fc47786d27343445
SHA256

0d416c79c2d70388eafd89e7bb678a43df3ca3b0288a1f8d501fefaade44e1fb
SHA512

8c0bc0f9cb94a0c525511212f1ab307ad718efaa793ba9a9b27090910fbe9fb79fe810e38d98247899036bee3a0e7a39d4e951b6f7113e665c9995d246dc442f
SSDEEP

24576:VlMstY+vdjNHW2n2W0p5cozJTfNn5RA3uUDy/UroKpBTnltrCeGJfWHmLNo6oUSs:icCnM

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\config32\config32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\config32\\config32.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot2.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
Executes dropped EXE 3 IoCs

Processes:

config32.execonfig32.execonfig32.exe

pid process

1172 config32.exe
2168 config32.exe
780 config32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe

pid	process
1172	config32.exe
2168	config32.exe
780	config32.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/780-29-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-35-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-33-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-42-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-44-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-47-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-49-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-51-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-56-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-61-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-63-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/780-70-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key Name = "C:\\Users\\Admin\\AppData\\Roaming\\config32\\config32.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

config32.exe

description pid process target process

PID 1172 set thread context of 2168 1172 config32.exe config32.exe
PID 1172 set thread context of 780 1172 config32.exe config32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1296 reg.exe
2344 reg.exe
2472 reg.exe
880 reg.exe

description	pid	process	target process
PID 1172 set thread context of 2168	1172	config32.exe	config32.exe
PID 1172 set thread context of 780	1172	config32.exe	config32.exe

pid	process
1296	reg.exe
2344	reg.exe
2472	reg.exe
880	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

config32.execonfig32.exe

description	pid	process
Token: SeDebugPrivilege	2168	config32.exe
Token: 1	780	config32.exe
Token: SeCreateTokenPrivilege	780	config32.exe
Token: SeAssignPrimaryTokenPrivilege	780	config32.exe
Token: SeLockMemoryPrivilege	780	config32.exe
Token: SeIncreaseQuotaPrivilege	780	config32.exe
Token: SeMachineAccountPrivilege	780	config32.exe
Token: SeTcbPrivilege	780	config32.exe
Token: SeSecurityPrivilege	780	config32.exe
Token: SeTakeOwnershipPrivilege	780	config32.exe
Token: SeLoadDriverPrivilege	780	config32.exe
Token: SeSystemProfilePrivilege	780	config32.exe
Token: SeSystemtimePrivilege	780	config32.exe
Token: SeProfSingleProcessPrivilege	780	config32.exe
Token: SeIncBasePriorityPrivilege	780	config32.exe
Token: SeCreatePagefilePrivilege	780	config32.exe
Token: SeCreatePermanentPrivilege	780	config32.exe
Token: SeBackupPrivilege	780	config32.exe
Token: SeRestorePrivilege	780	config32.exe
Token: SeShutdownPrivilege	780	config32.exe
Token: SeDebugPrivilege	780	config32.exe
Token: SeAuditPrivilege	780	config32.exe
Token: SeSystemEnvironmentPrivilege	780	config32.exe
Token: SeChangeNotifyPrivilege	780	config32.exe
Token: SeRemoteShutdownPrivilege	780	config32.exe
Token: SeUndockPrivilege	780	config32.exe
Token: SeSyncAgentPrivilege	780	config32.exe
Token: SeEnableDelegationPrivilege	780	config32.exe
Token: SeManageVolumePrivilege	780	config32.exe
Token: SeImpersonatePrivilege	780	config32.exe
Token: SeCreateGlobalPrivilege	780	config32.exe
Token: 31	780	config32.exe
Token: 32	780	config32.exe
Token: 33	780	config32.exe
Token: 34	780	config32.exe
Token: 35	780	config32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.execonfig32.execonfig32.execonfig32.exe

pid process

3948 26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
1172 config32.exe
2168 config32.exe
780 config32.exe
780 config32.exe
780 config32.exe

pid	process
3948	26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
1172	config32.exe
2168	config32.exe
780	config32.exe
780	config32.exe
780	config32.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.execmd.execonfig32.execonfig32.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3948 wrote to memory of 4772	3948	26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe	cmd.exe
PID 3948 wrote to memory of 4772	3948	26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe	cmd.exe
PID 3948 wrote to memory of 4772	3948	26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe	cmd.exe
PID 4772 wrote to memory of 4840	4772	cmd.exe	reg.exe
PID 4772 wrote to memory of 4840	4772	cmd.exe	reg.exe
PID 4772 wrote to memory of 4840	4772	cmd.exe	reg.exe
PID 3948 wrote to memory of 1172	3948	26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe	config32.exe
PID 3948 wrote to memory of 1172	3948	26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe	config32.exe
PID 3948 wrote to memory of 1172	3948	26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe	config32.exe
PID 1172 wrote to memory of 2168	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 2168	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 2168	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 2168	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 2168	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 2168	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 2168	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 780	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 780	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 780	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 780	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 780	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 780	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 780	1172	config32.exe	config32.exe
PID 1172 wrote to memory of 780	1172	config32.exe	config32.exe
PID 780 wrote to memory of 4088	780	config32.exe	cmd.exe
PID 780 wrote to memory of 4088	780	config32.exe	cmd.exe
PID 780 wrote to memory of 4088	780	config32.exe	cmd.exe
PID 780 wrote to memory of 4316	780	config32.exe	cmd.exe
PID 780 wrote to memory of 4316	780	config32.exe	cmd.exe
PID 780 wrote to memory of 4316	780	config32.exe	cmd.exe
PID 780 wrote to memory of 676	780	config32.exe	cmd.exe
PID 780 wrote to memory of 676	780	config32.exe	cmd.exe
PID 780 wrote to memory of 676	780	config32.exe	cmd.exe
PID 780 wrote to memory of 1588	780	config32.exe	cmd.exe
PID 780 wrote to memory of 1588	780	config32.exe	cmd.exe
PID 780 wrote to memory of 1588	780	config32.exe	cmd.exe
PID 676 wrote to memory of 1296	676	cmd.exe	reg.exe
PID 676 wrote to memory of 1296	676	cmd.exe	reg.exe
PID 676 wrote to memory of 1296	676	cmd.exe	reg.exe
PID 1588 wrote to memory of 2472	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 2472	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 2472	1588	cmd.exe	reg.exe
PID 4088 wrote to memory of 2344	4088	cmd.exe	reg.exe
PID 4088 wrote to memory of 2344	4088	cmd.exe	reg.exe
PID 4088 wrote to memory of 2344	4088	cmd.exe	reg.exe
PID 4316 wrote to memory of 880	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 880	4316	cmd.exe	reg.exe
PID 4316 wrote to memory of 880	4316	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26bb23d8ead51c4caf1238b2062f2b5c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240626656.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Key Name" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config32\config32.exe" /f
3⤵
- Adds Run key to start application
PID:4840

C:\Users\Admin\AppData\Roaming\config32\config32.exe
"C:\Users\Admin\AppData\Roaming\config32\config32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Roaming\config32\config32.exe
"C:\Users\Admin\AppData\Roaming\config32\config32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Users\Admin\AppData\Roaming\config32\config32.exe
"C:\Users\Admin\AppData\Roaming\config32\config32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\config32\config32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config32\config32.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\config32\config32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config32\config32.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot2.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot2.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2472

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240626656.bat
Filesize
145B

MD5
b77388fc111c6b22d1bb7f3ef2215e3e

SHA1
1cf4c6479bf818854017ee9f52d268817e2d5ad9

SHA256
48dbb00f5aa2bbef24ee8a2b26bba729da3cf1e8cefd6a5eca52d4ecdff6a763

SHA512
87384d5b38dabc95f25f24e92379add06b4fa88aa7bac31c74129a3ff7140498c6a00825a9407887c038b234c9346432fed322fd6afda0febe4b371b591bb54c

Download Submit
C:\Users\Admin\AppData\Roaming\config32\config32.exe
Filesize
2.9MB

MD5
2d7c33289a5e547e5c36ce171d87b5bd

SHA1
af5000dd7e045f5183638d8eaf1afa90827f7053

SHA256
1264a9e23a3f07970691cda72a7329f9efa8ef73cb392511a1351ce67ccfa182

SHA512
a6ff125de90a564bcba534ab89a4a843f416379917cbc6861413cf28cd6ea99b762cbf45a5042d929c9b5bfdb6a3c2c57044a2350309ace00ea4a41dbb77d887

Download Submit
memory/780-47-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-56-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-35-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-33-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-70-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-63-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-61-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-29-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-42-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-44-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-51-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/780-49-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2168-20-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2168-41-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2168-23-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2168-24-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2168-27-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download