Analysis
-
max time kernel
128s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 23:27
Behavioral task
behavioral1
Sample
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe
-
Size
648KB
-
MD5
efc29049fa5d14ed1db26fc6fbc7174a
-
SHA1
2bba18e0c933936dd9290c6dde35c5fc1b7bd699
-
SHA256
5d12db2475846f968b67d2dc287bd9d0fbc8f47f69f03911ec16c2ed23eb9324
-
SHA512
c9df29c2b918d3f4cebef4eba1ba2f8dc1cdf8a464bf8eb4e876852c385f412eccd80029a54414c678bb9a66828edfa0e74c06c445e5a29afe8f48b0ed049de8
-
SSDEEP
12288:06A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhf:JAmBpVKHu0Mu9Xo20VGLVP5f
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdatec.exe" efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winupdatec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdatec.exe -
Processes:
winupdatec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdatec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdatec.exepid process 4320 winupdatec.exe -
Processes:
winupdatec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdatec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdatec = "C:\\Windupdt\\winupdatec.exe" efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exewinupdatec.exedescription pid process Token: SeIncreaseQuotaPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeSecurityPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeSystemtimePrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeBackupPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeRestorePrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeShutdownPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeDebugPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeUndockPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeManageVolumePrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeImpersonatePrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: 33 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: 34 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: 35 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: 36 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4320 winupdatec.exe Token: SeSecurityPrivilege 4320 winupdatec.exe Token: SeTakeOwnershipPrivilege 4320 winupdatec.exe Token: SeLoadDriverPrivilege 4320 winupdatec.exe Token: SeSystemProfilePrivilege 4320 winupdatec.exe Token: SeSystemtimePrivilege 4320 winupdatec.exe Token: SeProfSingleProcessPrivilege 4320 winupdatec.exe Token: SeIncBasePriorityPrivilege 4320 winupdatec.exe Token: SeCreatePagefilePrivilege 4320 winupdatec.exe Token: SeBackupPrivilege 4320 winupdatec.exe Token: SeRestorePrivilege 4320 winupdatec.exe Token: SeShutdownPrivilege 4320 winupdatec.exe Token: SeDebugPrivilege 4320 winupdatec.exe Token: SeSystemEnvironmentPrivilege 4320 winupdatec.exe Token: SeChangeNotifyPrivilege 4320 winupdatec.exe Token: SeRemoteShutdownPrivilege 4320 winupdatec.exe Token: SeUndockPrivilege 4320 winupdatec.exe Token: SeManageVolumePrivilege 4320 winupdatec.exe Token: SeImpersonatePrivilege 4320 winupdatec.exe Token: SeCreateGlobalPrivilege 4320 winupdatec.exe Token: 33 4320 winupdatec.exe Token: 34 4320 winupdatec.exe Token: 35 4320 winupdatec.exe Token: 36 4320 winupdatec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winupdatec.exepid process 4320 winupdatec.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.execmd.exedescription pid process target process PID 2744 wrote to memory of 4320 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe winupdatec.exe PID 2744 wrote to memory of 4320 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe winupdatec.exe PID 2744 wrote to memory of 4320 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe winupdatec.exe PID 2744 wrote to memory of 3724 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe cmd.exe PID 2744 wrote to memory of 3724 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe cmd.exe PID 2744 wrote to memory of 3724 2744 efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe cmd.exe PID 3724 wrote to memory of 4832 3724 cmd.exe PING.EXE PID 3724 wrote to memory of 4832 3724 cmd.exe PING.EXE PID 3724 wrote to memory of 4832 3724 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windupdt\winupdatec.exe"C:\Windupdt\winupdatec.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\efc29049fa5d14ed1db26fc6fbc7174a_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:4832
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD5efc29049fa5d14ed1db26fc6fbc7174a
SHA12bba18e0c933936dd9290c6dde35c5fc1b7bd699
SHA2565d12db2475846f968b67d2dc287bd9d0fbc8f47f69f03911ec16c2ed23eb9324
SHA512c9df29c2b918d3f4cebef4eba1ba2f8dc1cdf8a464bf8eb4e876852c385f412eccd80029a54414c678bb9a66828edfa0e74c06c445e5a29afe8f48b0ed049de8