Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 07:49
Static task
static1
Behavioral task
behavioral1
Sample
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe
-
Size
333KB
-
MD5
f30715126b5c27f3f4ac6152c13e55a7
-
SHA1
4885bfc1ca02b739027e092bc5b1d83ea43590fc
-
SHA256
ba05f15f416a924ad9c2d6a07624e1c79955de3ed89b929d4f285d325a52950a
-
SHA512
8d6edf247449e1748ecb8353018a4ad788c1a74caaaf32324af1271ce421e77aa580c315f3f7c235c596e6a32da714e08427ce494e76998e1b3fa10f31d1367c
-
SSDEEP
6144:k4KXklFaM3Y2NOoZmaTt7Lbt4eJMJOq1SQ3NIFGcp9tLJboTMBpdsGK/ttx:RKXfamaRn54eJMU0dIFP/7sTemGm
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\driver\\webloader.exe" f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 2492 attrib.exe 4176 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
webloader.exewebloader.exewebloader.exepid Process 2864 webloader.exe 904 webloader.exe 4960 webloader.exe -
Loads dropped DLL 2 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exewebloader.exepid Process 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 2864 webloader.exe -
Processes:
resource yara_rule behavioral2/memory/1244-8-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/1244-9-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/1244-10-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/1244-12-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/1244-78-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-91-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-92-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-93-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-96-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-95-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-97-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-98-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-102-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-103-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-104-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-105-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-106-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-107-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-108-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-109-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-110-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-111-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-112-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-113-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-114-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-115-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-116-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4960-117-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exewebloader.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webloader = "C:\\driver\\webloader.exe" f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webloader = "C:\\driver\\webloader.exe" webloader.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exef30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exewebloader.exewebloader.exedescription pid Process procid_target PID 4712 set thread context of 4404 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 90 PID 4404 set thread context of 1244 4404 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 91 PID 2864 set thread context of 904 2864 webloader.exe 102 PID 904 set thread context of 4960 904 webloader.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exewebloader.exedescription pid Process Token: SeIncreaseQuotaPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeSecurityPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeSystemtimePrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeBackupPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeRestorePrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeShutdownPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeDebugPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeUndockPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeManageVolumePrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeImpersonatePrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: 33 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: 34 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: 35 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: 36 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4960 webloader.exe Token: SeSecurityPrivilege 4960 webloader.exe Token: SeTakeOwnershipPrivilege 4960 webloader.exe Token: SeLoadDriverPrivilege 4960 webloader.exe Token: SeSystemProfilePrivilege 4960 webloader.exe Token: SeSystemtimePrivilege 4960 webloader.exe Token: SeProfSingleProcessPrivilege 4960 webloader.exe Token: SeIncBasePriorityPrivilege 4960 webloader.exe Token: SeCreatePagefilePrivilege 4960 webloader.exe Token: SeBackupPrivilege 4960 webloader.exe Token: SeRestorePrivilege 4960 webloader.exe Token: SeShutdownPrivilege 4960 webloader.exe Token: SeDebugPrivilege 4960 webloader.exe Token: SeSystemEnvironmentPrivilege 4960 webloader.exe Token: SeChangeNotifyPrivilege 4960 webloader.exe Token: SeRemoteShutdownPrivilege 4960 webloader.exe Token: SeUndockPrivilege 4960 webloader.exe Token: SeManageVolumePrivilege 4960 webloader.exe Token: SeImpersonatePrivilege 4960 webloader.exe Token: SeCreateGlobalPrivilege 4960 webloader.exe Token: 33 4960 webloader.exe Token: 34 4960 webloader.exe Token: 35 4960 webloader.exe Token: 36 4960 webloader.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
webloader.exepid Process 4960 webloader.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exef30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exef30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.execmd.execmd.execmd.exewebloader.exewebloader.exedescription pid Process procid_target PID 4712 wrote to memory of 4404 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 90 PID 4712 wrote to memory of 4404 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 90 PID 4712 wrote to memory of 4404 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 90 PID 4712 wrote to memory of 4404 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 90 PID 4712 wrote to memory of 4404 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 90 PID 4712 wrote to memory of 4404 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 90 PID 4712 wrote to memory of 4404 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 90 PID 4712 wrote to memory of 4404 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 90 PID 4712 wrote to memory of 4404 4712 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 90 PID 4404 wrote to memory of 1244 4404 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 91 PID 4404 wrote to memory of 1244 4404 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 91 PID 4404 wrote to memory of 1244 4404 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 91 PID 4404 wrote to memory of 1244 4404 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 91 PID 4404 wrote to memory of 1244 4404 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 91 PID 4404 wrote to memory of 1244 4404 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 91 PID 4404 wrote to memory of 1244 4404 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 91 PID 4404 wrote to memory of 1244 4404 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 91 PID 1244 wrote to memory of 2912 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 92 PID 1244 wrote to memory of 2912 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 92 PID 1244 wrote to memory of 2912 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 92 PID 1244 wrote to memory of 772 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 93 PID 1244 wrote to memory of 772 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 93 PID 1244 wrote to memory of 772 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 93 PID 2912 wrote to memory of 2492 2912 cmd.exe 96 PID 2912 wrote to memory of 2492 2912 cmd.exe 96 PID 2912 wrote to memory of 2492 2912 cmd.exe 96 PID 772 wrote to memory of 4176 772 cmd.exe 97 PID 772 wrote to memory of 4176 772 cmd.exe 97 PID 772 wrote to memory of 4176 772 cmd.exe 97 PID 1244 wrote to memory of 2864 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 98 PID 1244 wrote to memory of 2864 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 98 PID 1244 wrote to memory of 2864 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 98 PID 1244 wrote to memory of 1612 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 99 PID 1244 wrote to memory of 1612 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 99 PID 1244 wrote to memory of 1612 1244 f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe 99 PID 1612 wrote to memory of 464 1612 cmd.exe 101 PID 1612 wrote to memory of 464 1612 cmd.exe 101 PID 1612 wrote to memory of 464 1612 cmd.exe 101 PID 2864 wrote to memory of 904 2864 webloader.exe 102 PID 2864 wrote to memory of 904 2864 webloader.exe 102 PID 2864 wrote to memory of 904 2864 webloader.exe 102 PID 2864 wrote to memory of 904 2864 webloader.exe 102 PID 2864 wrote to memory of 904 2864 webloader.exe 102 PID 2864 wrote to memory of 904 2864 webloader.exe 102 PID 2864 wrote to memory of 904 2864 webloader.exe 102 PID 2864 wrote to memory of 904 2864 webloader.exe 102 PID 2864 wrote to memory of 904 2864 webloader.exe 102 PID 904 wrote to memory of 4960 904 webloader.exe 105 PID 904 wrote to memory of 4960 904 webloader.exe 105 PID 904 wrote to memory of 4960 904 webloader.exe 105 PID 904 wrote to memory of 4960 904 webloader.exe 105 PID 904 wrote to memory of 4960 904 webloader.exe 105 PID 904 wrote to memory of 4960 904 webloader.exe 105 PID 904 wrote to memory of 4960 904 webloader.exe 105 PID 904 wrote to memory of 4960 904 webloader.exe 105 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2492 attrib.exe 4176 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4176
-
-
-
C:\driver\webloader.exe"C:\driver\webloader.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\driver\webloader.exe"C:\driver\webloader.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:904 -
C:\driver\webloader.exe"C:\driver\webloader.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4960
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\f30715126b5c27f3f4ac6152c13e55a7_JaffaCakes118.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- Runs ping.exe
PID:464
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD595f62965058baacadb83c2da94ca47de
SHA1b3115c8b56105e1eae02fda8b3536b3bf38436ca
SHA256d76b2bde3f59d34dbf1bba5917bfd17470703801b17984ad90b6cebcf914deb9
SHA5129fbd110938f1c0a97b1f2742c8233e28a7e2802477f9222d3e0db95c1959ed3a1183b57ca1c92f006e6dbdf3ab03297cba0c6e06e2e2778a6dfa1e4ac2d7cb77
-
Filesize
333KB
MD5f30715126b5c27f3f4ac6152c13e55a7
SHA14885bfc1ca02b739027e092bc5b1d83ea43590fc
SHA256ba05f15f416a924ad9c2d6a07624e1c79955de3ed89b929d4f285d325a52950a
SHA5128d6edf247449e1748ecb8353018a4ad788c1a74caaaf32324af1271ce421e77aa580c315f3f7c235c596e6a32da714e08427ce494e76998e1b3fa10f31d1367c