Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:27
Static task
static1
Behavioral task
behavioral1
Sample
b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe
-
Size
97KB
-
MD5
b98322e43d25ba7b38c3417dda1e16a4
-
SHA1
a393719aadb658cca5ad6d151802ad35350b0c67
-
SHA256
9b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51
-
SHA512
311599e2885fe7e4ccb4bad5d0c4d6ee948cf14307c5885b64398fd861951d86581406545395845daa666984b6f5eb2dbe6fcde66e13202033970b46623efeec
-
SSDEEP
1536:5vOMoORizUPliPsm/gL16ZpQGh6MgHN+PhuLGR/11bvfMoOJ:ROxOMUMPsgQvTMY+PhGGR/117fxOJ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\"" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\"" smss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\"" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\"" smss.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Executes dropped EXE 1 IoCs
pid Process 2784 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2044 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe 2044 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\"" b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\s4827 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File created C:\Windows\SysWOW64\c_26742k.com b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827 smss.exe File created C:\Windows\SysWOW64\s4827\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\c_26742k.com b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\c_26742k.com smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File created C:\Windows\SysWOW64\s4827\winlogon.exe smss.exe File created C:\Windows\SysWOW64\s4827\smss.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe smss.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\j6267422.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\o4267427.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\_default26742.pif b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File created C:\Windows\_default26742.pif b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\o4267427.exe smss.exe File opened for modification C:\Windows\_default26742.pif smss.exe File created C:\Windows\j6267422.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File created C:\Windows\o4267427.exe b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe File opened for modification C:\Windows\j6267422.exe smss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2784 2044 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe 29 PID 2044 wrote to memory of 2784 2044 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe 29 PID 2044 wrote to memory of 2784 2044 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe 29 PID 2044 wrote to memory of 2784 2044 b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\s4827\smss.exe"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b98322e43d25ba7b38c3417dda1e16a4
SHA1a393719aadb658cca5ad6d151802ad35350b0c67
SHA2569b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51
SHA512311599e2885fe7e4ccb4bad5d0c4d6ee948cf14307c5885b64398fd861951d86581406545395845daa666984b6f5eb2dbe6fcde66e13202033970b46623efeec