Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 07:30
Static task
static1
Behavioral task
behavioral1
Sample
f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
f093f75b0c4fb499e79407a6f1e0677b
-
SHA1
4c49a59b3723aef75f7dbb1270151112cc844c7e
-
SHA256
7c313a9892feb0bd975f6d8c1fe9ea0447adbf738c88353236079693046bb4d8
-
SHA512
5034c1fab191f226aaa82f3f44b31d34f078c7aee2027f70a02cf6acb6db239311df60deacf19c1b798a658e4fdf775b4bbd67b0ba813357dc49f8247b7a1a68
-
SSDEEP
12288:A5fQl3fYNmFm4ODd6spRXLh2pBHMP4KSt9043Q5yzYtS5Ur8bmFzujLRI4LZJZjE:DvYRRLpNAttTXgVan
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\WinDir\\Svchost.exe" vbc.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vbc.exe -
Processes:
resource yara_rule behavioral1/memory/1968-6-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/1968-8-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/1968-12-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/1968-15-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/1968-16-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/1968-17-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/1968-18-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/1968-20-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/1968-28-0x0000000000400000-0x00000000004E6000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\"" f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Windows\\WinDir\\Svchost.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exevbc.exedescription pid process target process PID 2020 set thread context of 1968 2020 f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe vbc.exe PID 1968 set thread context of 2644 1968 vbc.exe explorer.exe -
Drops file in Windows directory 3 IoCs
Processes:
vbc.exedescription ioc process File created C:\Windows\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\WinDir\ vbc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1968 vbc.exe Token: SeSecurityPrivilege 1968 vbc.exe Token: SeTakeOwnershipPrivilege 1968 vbc.exe Token: SeLoadDriverPrivilege 1968 vbc.exe Token: SeSystemProfilePrivilege 1968 vbc.exe Token: SeSystemtimePrivilege 1968 vbc.exe Token: SeProfSingleProcessPrivilege 1968 vbc.exe Token: SeIncBasePriorityPrivilege 1968 vbc.exe Token: SeCreatePagefilePrivilege 1968 vbc.exe Token: SeBackupPrivilege 1968 vbc.exe Token: SeRestorePrivilege 1968 vbc.exe Token: SeShutdownPrivilege 1968 vbc.exe Token: SeDebugPrivilege 1968 vbc.exe Token: SeSystemEnvironmentPrivilege 1968 vbc.exe Token: SeChangeNotifyPrivilege 1968 vbc.exe Token: SeRemoteShutdownPrivilege 1968 vbc.exe Token: SeUndockPrivilege 1968 vbc.exe Token: SeManageVolumePrivilege 1968 vbc.exe Token: SeImpersonatePrivilege 1968 vbc.exe Token: SeCreateGlobalPrivilege 1968 vbc.exe Token: 33 1968 vbc.exe Token: 34 1968 vbc.exe Token: 35 1968 vbc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exevbc.exedescription pid process target process PID 2020 wrote to memory of 1968 2020 f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe vbc.exe PID 2020 wrote to memory of 1968 2020 f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe vbc.exe PID 2020 wrote to memory of 1968 2020 f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe vbc.exe PID 2020 wrote to memory of 1968 2020 f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe vbc.exe PID 2020 wrote to memory of 1968 2020 f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe vbc.exe PID 2020 wrote to memory of 1968 2020 f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe vbc.exe PID 2020 wrote to memory of 1968 2020 f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe vbc.exe PID 2020 wrote to memory of 1968 2020 f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe vbc.exe PID 1968 wrote to memory of 2644 1968 vbc.exe explorer.exe PID 1968 wrote to memory of 2644 1968 vbc.exe explorer.exe PID 1968 wrote to memory of 2644 1968 vbc.exe explorer.exe PID 1968 wrote to memory of 2644 1968 vbc.exe explorer.exe PID 1968 wrote to memory of 2644 1968 vbc.exe explorer.exe PID 1968 wrote to memory of 2644 1968 vbc.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f093f75b0c4fb499e79407a6f1e0677b_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:2644