Analysis Overview
SHA256
bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5
Threat Level: Likely malicious
The file e6195002fecd1cd970e80ab5b2318974_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Disables Task Manager via registry modification
Sets service image path in registry
Modifies Windows Firewall
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:21
Reported
2024-04-07 23:24
Platform
win7-20231129-en
Max time kernel
144s
Max time network
131s
Command Line
Signatures
Disables Task Manager via registry modification
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Driver\ImagePath = "\\??\\C:\\Windows\\system32\\kernelw.sys" | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\kernelw.sys | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\kernelwind32.exe | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kernelwind32.exe | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\kernelwind32.exe | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
| File created | C:\Windows\SysWOW64\dllh8jkd1q8.exe | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dllh8jkd1q8.exe | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set allowedprogram 'C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe' enable
C:\Windows\SysWOW64\kernelwind32.exe
C:\Windows\system32\kernelwind32.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall set allowedprogram 'C:\Windows\SysWOW64\kernelwind32.exe' enable
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | softspydelete.com | udp |
| US | 173.239.5.6:80 | softspydelete.com | tcp |
| US | 8.8.8.8:53 | ww9.softspydelete.com | udp |
| US | 76.223.26.96:80 | ww9.softspydelete.com | tcp |
| US | 173.239.5.6:80 | softspydelete.com | tcp |
| US | 173.239.5.6:80 | softspydelete.com | tcp |
| US | 173.239.5.6:80 | softspydelete.com | tcp |
Files
memory/3040-1-0x0000000000400000-0x000000000040A000-memory.dmp
\Windows\SysWOW64\kernelwind32.exe
| MD5 | e6195002fecd1cd970e80ab5b2318974 |
| SHA1 | c40a15e0f8b2e521f0ae481b3339d2893970a178 |
| SHA256 | bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5 |
| SHA512 | 445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d |
memory/3040-10-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2360-12-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Windows\SysWOW64\dllh8jkd1q8.exe
| MD5 | 96dacbc0d6125a5baf02d286ea2d8277 |
| SHA1 | 726416cce8f3b661070f9b3f30ea212e4621503e |
| SHA256 | 393921ae383f661a60cdb247d8600242daf919f0dfb4b1061f0ab5c7a922f443 |
| SHA512 | 8cb5e28296ad8bcc47de26780b60fc51f81006dd04775aa0332ccecff64f7434b2ef33e17ad81ca96b16c44118bbfa19fb4325aca4eeeaa93f1d767050d2c4e3 |
memory/2360-24-0x0000000000400000-0x000000000040A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:21
Reported
2024-04-07 23:24
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
132s
Command Line
Signatures
Disables Task Manager via registry modification
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Driver\ImagePath = "\\??\\C:\\Windows\\system32\\kernelw.sys" | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Driver\ImagePath = "\\??\\C:\\Windows\\system32\\kernelw.sys" | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\dllh8jkd1q8.exe | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kernelw.sys | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\kernelwind32.exe | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kernelwind32.exe | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kernelw.sys | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
| File created | C:\Windows\SysWOW64\kernelwind32.exe | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
| File created | C:\Windows\SysWOW64\dllh8jkd1q8.exe | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\kernelwind32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set allowedprogram 'C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe' enable
C:\Windows\SysWOW64\kernelwind32.exe
C:\Windows\system32\kernelwind32.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall set allowedprogram 'C:\Windows\SysWOW64\kernelwind32.exe' enable
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | softspydelete.com | udp |
| US | 173.239.5.6:80 | softspydelete.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww9.softspydelete.com | udp |
| US | 13.248.148.254:80 | ww9.softspydelete.com | tcp |
| US | 8.8.8.8:53 | 6.5.239.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.148.248.13.in-addr.arpa | udp |
| US | 173.239.5.6:80 | softspydelete.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 173.239.5.6:80 | softspydelete.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 173.239.5.6:80 | softspydelete.com | tcp |
Files
memory/2844-1-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Windows\SysWOW64\kernelwind32.exe
| MD5 | e6195002fecd1cd970e80ab5b2318974 |
| SHA1 | c40a15e0f8b2e521f0ae481b3339d2893970a178 |
| SHA256 | bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5 |
| SHA512 | 445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d |
memory/2844-6-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Windows\SysWOW64\kernelw.sys
| MD5 | cc43010c40ec6907f2d0526c55495c16 |
| SHA1 | 04f9b28b79824e20c77db44189db718b683971cf |
| SHA256 | 3b3fd4601090089980c93ff7607e9d3e863ce51155c56e0093871493f7a0f875 |
| SHA512 | b21ec29fc85f124a47ce46fb15f47643a4dc2ff521548746ca6a0d39030353c95b2cda4afe7372a85568ba464f162bf3c8060ec469e63f41775731994a6cb8f3 |
memory/5332-10-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Windows\SysWOW64\dllh8jkd1q8.exe
| MD5 | 96dacbc0d6125a5baf02d286ea2d8277 |
| SHA1 | 726416cce8f3b661070f9b3f30ea212e4621503e |
| SHA256 | 393921ae383f661a60cdb247d8600242daf919f0dfb4b1061f0ab5c7a922f443 |
| SHA512 | 8cb5e28296ad8bcc47de26780b60fc51f81006dd04775aa0332ccecff64f7434b2ef33e17ad81ca96b16c44118bbfa19fb4325aca4eeeaa93f1d767050d2c4e3 |
memory/5332-21-0x0000000000400000-0x000000000040A000-memory.dmp