Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 07:49
Static task
static1
Behavioral task
behavioral1
Sample
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe
-
Size
333KB
-
MD5
f30715126b5c27f3f4ac6152c13e55a7
-
SHA1
4885bfc1ca02b739027e092bc5b1d83ea43590fc
-
SHA256
ba05f15f416a924ad9c2d6a07624e1c79955de3ed89b929d4f285d325a52950a
-
SHA512
8d6edf247449e1748ecb8353018a4ad788c1a74caaaf32324af1271ce421e77aa580c315f3f7c235c596e6a32da714e08427ce494e76998e1b3fa10f31d1367c
-
SSDEEP
6144:k4KXklFaM3Y2NOoZmaTt7Lbt4eJMJOq1SQ3NIFGcp9tLJboTMBpdsGK/ttx:RKXfamaRn54eJMU0dIFP/7sTemGm
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\driver\\webloader.exe" f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 384 attrib.exe 2568 attrib.exe -
Executes dropped EXE 3 IoCs
Processes:
webloader.exewebloader.exewebloader.exepid Process 2448 webloader.exe 2640 webloader.exe 2780 webloader.exe -
Loads dropped DLL 2 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exewebloader.exepid Process 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 2448 webloader.exe -
Processes:
resource yara_rule behavioral1/memory/2596-23-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2596-21-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2596-27-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2596-28-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2596-29-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2596-31-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2596-30-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2596-32-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2596-43-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2780-79-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2780-81-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2780-82-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2780-84-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2780-87-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2780-86-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2780-85-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2780-92-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2780-94-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exewebloader.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\webloader = "C:\\driver\\webloader.exe" f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\webloader = "C:\\driver\\webloader.exe" webloader.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exef30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exewebloader.exewebloader.exedescription pid Process procid_target PID 2484 set thread context of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2212 set thread context of 2596 2212 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 29 PID 2448 set thread context of 2640 2448 webloader.exe 40 PID 2640 set thread context of 2780 2640 webloader.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exewebloader.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeSecurityPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeSystemtimePrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeBackupPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeRestorePrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeShutdownPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeDebugPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeUndockPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeManageVolumePrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeImpersonatePrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: 33 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: 34 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: 35 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2780 webloader.exe Token: SeSecurityPrivilege 2780 webloader.exe Token: SeTakeOwnershipPrivilege 2780 webloader.exe Token: SeLoadDriverPrivilege 2780 webloader.exe Token: SeSystemProfilePrivilege 2780 webloader.exe Token: SeSystemtimePrivilege 2780 webloader.exe Token: SeProfSingleProcessPrivilege 2780 webloader.exe Token: SeIncBasePriorityPrivilege 2780 webloader.exe Token: SeCreatePagefilePrivilege 2780 webloader.exe Token: SeBackupPrivilege 2780 webloader.exe Token: SeRestorePrivilege 2780 webloader.exe Token: SeShutdownPrivilege 2780 webloader.exe Token: SeDebugPrivilege 2780 webloader.exe Token: SeSystemEnvironmentPrivilege 2780 webloader.exe Token: SeChangeNotifyPrivilege 2780 webloader.exe Token: SeRemoteShutdownPrivilege 2780 webloader.exe Token: SeUndockPrivilege 2780 webloader.exe Token: SeManageVolumePrivilege 2780 webloader.exe Token: SeImpersonatePrivilege 2780 webloader.exe Token: SeCreateGlobalPrivilege 2780 webloader.exe Token: 33 2780 webloader.exe Token: 34 2780 webloader.exe Token: 35 2780 webloader.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
webloader.exepid Process 2780 webloader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exef30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exef30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.execmd.execmd.execmd.exewebloader.exewebloader.exedescription pid Process procid_target PID 2484 wrote to memory of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2212 2484 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2596 2212 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2596 2212 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2596 2212 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2596 2212 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2596 2212 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2596 2212 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2596 2212 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2596 2212 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 29 PID 2596 wrote to memory of 2720 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 30 PID 2596 wrote to memory of 2720 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 30 PID 2596 wrote to memory of 2720 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 30 PID 2596 wrote to memory of 2720 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 30 PID 2596 wrote to memory of 2812 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 32 PID 2596 wrote to memory of 2812 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 32 PID 2596 wrote to memory of 2812 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 32 PID 2596 wrote to memory of 2812 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 32 PID 2720 wrote to memory of 384 2720 cmd.exe 34 PID 2720 wrote to memory of 384 2720 cmd.exe 34 PID 2720 wrote to memory of 384 2720 cmd.exe 34 PID 2720 wrote to memory of 384 2720 cmd.exe 34 PID 2812 wrote to memory of 2568 2812 cmd.exe 35 PID 2812 wrote to memory of 2568 2812 cmd.exe 35 PID 2812 wrote to memory of 2568 2812 cmd.exe 35 PID 2812 wrote to memory of 2568 2812 cmd.exe 35 PID 2596 wrote to memory of 2448 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 36 PID 2596 wrote to memory of 2448 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 36 PID 2596 wrote to memory of 2448 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 36 PID 2596 wrote to memory of 2448 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 36 PID 2596 wrote to memory of 2180 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2180 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2180 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2180 2596 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 37 PID 2180 wrote to memory of 272 2180 cmd.exe 39 PID 2180 wrote to memory of 272 2180 cmd.exe 39 PID 2180 wrote to memory of 272 2180 cmd.exe 39 PID 2180 wrote to memory of 272 2180 cmd.exe 39 PID 2448 wrote to memory of 2640 2448 webloader.exe 40 PID 2448 wrote to memory of 2640 2448 webloader.exe 40 PID 2448 wrote to memory of 2640 2448 webloader.exe 40 PID 2448 wrote to memory of 2640 2448 webloader.exe 40 PID 2448 wrote to memory of 2640 2448 webloader.exe 40 PID 2448 wrote to memory of 2640 2448 webloader.exe 40 PID 2448 wrote to memory of 2640 2448 webloader.exe 40 PID 2448 wrote to memory of 2640 2448 webloader.exe 40 PID 2448 wrote to memory of 2640 2448 webloader.exe 40 PID 2448 wrote to memory of 2640 2448 webloader.exe 40 PID 2640 wrote to memory of 2780 2640 webloader.exe 41 PID 2640 wrote to memory of 2780 2640 webloader.exe 41 PID 2640 wrote to memory of 2780 2640 webloader.exe 41 PID 2640 wrote to memory of 2780 2640 webloader.exe 41 PID 2640 wrote to memory of 2780 2640 webloader.exe 41 PID 2640 wrote to memory of 2780 2640 webloader.exe 41 PID 2640 wrote to memory of 2780 2640 webloader.exe 41 PID 2640 wrote to memory of 2780 2640 webloader.exe 41 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 384 attrib.exe 2568 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:384
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2568
-
-
-
C:\driver\webloader.exe"C:\driver\webloader.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\driver\webloader.exe"C:\driver\webloader.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\driver\webloader.exe"C:\driver\webloader.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2780
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- Runs ping.exe
PID:272
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD5f30715126b5c27f3f4ac6152c13e55a7
SHA14885bfc1ca02b739027e092bc5b1d83ea43590fc
SHA256ba05f15f416a924ad9c2d6a07624e1c79955de3ed89b929d4f285d325a52950a
SHA5128d6edf247449e1748ecb8353018a4ad788c1a74caaaf32324af1271ce421e77aa580c315f3f7c235c596e6a32da714e08427ce494e76998e1b3fa10f31d1367c
-
Filesize
3KB
MD595f62965058baacadb83c2da94ca47de
SHA1b3115c8b56105e1eae02fda8b3536b3bf38436ca
SHA256d76b2bde3f59d34dbf1bba5917bfd17470703801b17984ad90b6cebcf914deb9
SHA5129fbd110938f1c0a97b1f2742c8233e28a7e2802477f9222d3e0db95c1959ed3a1183b57ca1c92f006e6dbdf3ab03297cba0c6e06e2e2778a6dfa1e4ac2d7cb77