Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 01:56
Behavioral task
behavioral1
Sample
f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe
-
Size
757KB
-
MD5
f007b11b6014d888d33b581c438bc296
-
SHA1
18fe4c3997b5730b3c0a375314be046903325817
-
SHA256
570985f06c6a51a2df7ff6706931807de298709e0083a56b38caf572635efec0
-
SHA512
58bc0f72616b8f918ffce1b50a858b50596784e8062860cceb4b9ac92103147f719729460b86c009ce6e404a073beb438d0880e97f23ce61fa66d66e609645b5
-
SSDEEP
12288:w9AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKEqMd0QZh9u:2AQ6Zx9cxTmOrucTIEFSpOGVD0QZh9u
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
f007b11b6014d888d33b581c438bc296_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe -
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exef007b11b6014d888d33b581c438bc296_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 3200 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f007b11b6014d888d33b581c438bc296_JaffaCakes118.exenotepad.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f007b11b6014d888d33b581c438bc296_JaffaCakes118.exedescription pid process target process PID 460 set thread context of 4604 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe explorer.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exef007b11b6014d888d33b581c438bc296_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exef007b11b6014d888d33b581c438bc296_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4604 explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
f007b11b6014d888d33b581c438bc296_JaffaCakes118.exeexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeSecurityPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeLoadDriverPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeSystemProfilePrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeSystemtimePrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeBackupPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeRestorePrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeShutdownPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeDebugPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeUndockPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeManageVolumePrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeImpersonatePrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: 33 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: 34 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: 35 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: 36 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4604 explorer.exe Token: SeSecurityPrivilege 4604 explorer.exe Token: SeTakeOwnershipPrivilege 4604 explorer.exe Token: SeLoadDriverPrivilege 4604 explorer.exe Token: SeSystemProfilePrivilege 4604 explorer.exe Token: SeSystemtimePrivilege 4604 explorer.exe Token: SeProfSingleProcessPrivilege 4604 explorer.exe Token: SeIncBasePriorityPrivilege 4604 explorer.exe Token: SeCreatePagefilePrivilege 4604 explorer.exe Token: SeBackupPrivilege 4604 explorer.exe Token: SeRestorePrivilege 4604 explorer.exe Token: SeShutdownPrivilege 4604 explorer.exe Token: SeDebugPrivilege 4604 explorer.exe Token: SeSystemEnvironmentPrivilege 4604 explorer.exe Token: SeChangeNotifyPrivilege 4604 explorer.exe Token: SeRemoteShutdownPrivilege 4604 explorer.exe Token: SeUndockPrivilege 4604 explorer.exe Token: SeManageVolumePrivilege 4604 explorer.exe Token: SeImpersonatePrivilege 4604 explorer.exe Token: SeCreateGlobalPrivilege 4604 explorer.exe Token: 33 4604 explorer.exe Token: 34 4604 explorer.exe Token: 35 4604 explorer.exe Token: 36 4604 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f007b11b6014d888d33b581c438bc296_JaffaCakes118.exeexplorer.exedescription pid process target process PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3720 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 4604 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe explorer.exe PID 460 wrote to memory of 4604 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe explorer.exe PID 460 wrote to memory of 4604 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe explorer.exe PID 460 wrote to memory of 4604 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe explorer.exe PID 460 wrote to memory of 4604 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe explorer.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 460 wrote to memory of 3200 460 f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe PID 4604 wrote to memory of 2876 4604 explorer.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f007b11b6014d888d33b581c438bc296_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
PID:3720 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵PID:2876
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe2⤵
- Deletes itself
PID:3200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3480,i,353436235481858446,15149564830344523381,262144 --variations-seed-version --mojo-platform-channel-handle=1728 /prefetch:81⤵PID:2340
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
757KB
MD5f007b11b6014d888d33b581c438bc296
SHA118fe4c3997b5730b3c0a375314be046903325817
SHA256570985f06c6a51a2df7ff6706931807de298709e0083a56b38caf572635efec0
SHA51258bc0f72616b8f918ffce1b50a858b50596784e8062860cceb4b9ac92103147f719729460b86c009ce6e404a073beb438d0880e97f23ce61fa66d66e609645b5