Analysis
-
max time kernel
87s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14-04-2024 23:27
Behavioral task
behavioral1
Sample
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe
-
Size
648KB
-
MD5
efc29049fa5d14ed1db26fc6fbc7174a
-
SHA1
2bba18e0c933936dd9290c6dde35c5fc1b7bd699
-
SHA256
5d12db2475846f968b67d2dc287bd9d0fbc8f47f69f03911ec16c2ed23eb9324
-
SHA512
c9df29c2b918d3f4cebef4eba1ba2f8dc1cdf8a464bf8eb4e876852c385f412eccd80029a54414c678bb9a66828edfa0e74c06c445e5a29afe8f48b0ed049de8
-
SSDEEP
12288:06A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhf:JAmBpVKHu0Mu9Xo20VGLVP5f
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdatec.exe" efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winupdatec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winupdatec.exe -
Processes:
winupdatec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdatec.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2600 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdatec.exepid process 2156 winupdatec.exe -
Loads dropped DLL 4 IoCs
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exewinupdatec.exepid process 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe 2156 winupdatec.exe 2156 winupdatec.exe 2156 winupdatec.exe -
Processes:
winupdatec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdatec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdatec = "C:\\Windupdt\\winupdatec.exe" efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exewinupdatec.exedescription pid process Token: SeIncreaseQuotaPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeSecurityPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeSystemtimePrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeBackupPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeRestorePrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeShutdownPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeDebugPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeUndockPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeManageVolumePrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeImpersonatePrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: 33 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: 34 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: 35 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2156 winupdatec.exe Token: SeSecurityPrivilege 2156 winupdatec.exe Token: SeTakeOwnershipPrivilege 2156 winupdatec.exe Token: SeLoadDriverPrivilege 2156 winupdatec.exe Token: SeSystemProfilePrivilege 2156 winupdatec.exe Token: SeSystemtimePrivilege 2156 winupdatec.exe Token: SeProfSingleProcessPrivilege 2156 winupdatec.exe Token: SeIncBasePriorityPrivilege 2156 winupdatec.exe Token: SeCreatePagefilePrivilege 2156 winupdatec.exe Token: SeBackupPrivilege 2156 winupdatec.exe Token: SeRestorePrivilege 2156 winupdatec.exe Token: SeShutdownPrivilege 2156 winupdatec.exe Token: SeDebugPrivilege 2156 winupdatec.exe Token: SeSystemEnvironmentPrivilege 2156 winupdatec.exe Token: SeChangeNotifyPrivilege 2156 winupdatec.exe Token: SeRemoteShutdownPrivilege 2156 winupdatec.exe Token: SeUndockPrivilege 2156 winupdatec.exe Token: SeManageVolumePrivilege 2156 winupdatec.exe Token: SeImpersonatePrivilege 2156 winupdatec.exe Token: SeCreateGlobalPrivilege 2156 winupdatec.exe Token: 33 2156 winupdatec.exe Token: 34 2156 winupdatec.exe Token: 35 2156 winupdatec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winupdatec.exepid process 2156 winupdatec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.execmd.exedescription pid process target process PID 2172 wrote to memory of 2156 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe winupdatec.exe PID 2172 wrote to memory of 2156 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe winupdatec.exe PID 2172 wrote to memory of 2156 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe winupdatec.exe PID 2172 wrote to memory of 2156 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe winupdatec.exe PID 2172 wrote to memory of 2156 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe winupdatec.exe PID 2172 wrote to memory of 2156 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe winupdatec.exe PID 2172 wrote to memory of 2156 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe winupdatec.exe PID 2172 wrote to memory of 2600 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe cmd.exe PID 2172 wrote to memory of 2600 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe cmd.exe PID 2172 wrote to memory of 2600 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe cmd.exe PID 2172 wrote to memory of 2600 2172 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe cmd.exe PID 2600 wrote to memory of 2096 2600 cmd.exe PING.EXE PID 2600 wrote to memory of 2096 2600 cmd.exe PING.EXE PID 2600 wrote to memory of 2096 2600 cmd.exe PING.EXE PID 2600 wrote to memory of 2096 2600 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windupdt\winupdatec.exe"C:\Windupdt\winupdatec.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2096
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD5efc29049fa5d14ed1db26fc6fbc7174a
SHA12bba18e0c933936dd9290c6dde35c5fc1b7bd699
SHA2565d12db2475846f968b67d2dc287bd9d0fbc8f47f69f03911ec16c2ed23eb9324
SHA512c9df29c2b918d3f4cebef4eba1ba2f8dc1cdf8a464bf8eb4e876852c385f412eccd80029a54414c678bb9a66828edfa0e74c06c445e5a29afe8f48b0ed049de8