Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 10:36
Behavioral task
behavioral1
Sample
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe
-
Size
954KB
-
MD5
f34f3f97f3283dd08b5918805975765f
-
SHA1
5bbd362955e0399eb760082c8371d364a09476fe
-
SHA256
ebe99cc6d3e15292562235e4789a259fc7f6758c84dd3c963136d23fe11a208e
-
SHA512
4659131d6ab07ba9ed14d7a46cc2334ce61b2db285b893f65cfd0e36f5bb5ed078fdfd546bb6d5c6d5bfa56342d93e69ea8889942ef476bcacc70b0d022696c3
-
SSDEEP
24576:otlcaTtnY5kejuY4l0WeNToRgS+OGF2uHP4G:mlc0t4pjIbDhGpHP9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\System\\ÚÈÏÇáÑÍãä.exe" f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
ÚÈÏÇáÑÍãä.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ÚÈÏÇáÑÍãä.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" ÚÈÏÇáÑÍãä.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ÚÈÏÇáÑÍãä.exe -
Processes:
ÚÈÏÇáÑÍãä.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ÚÈÏÇáÑÍãä.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ÚÈÏÇáÑÍãä.exe -
Drops file in Drivers directory 1 IoCs
Processes:
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ÚÈÏÇáÑÍãä.exef34f3f97f3283dd08b5918805975765f_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ÚÈÏÇáÑÍãä.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1364 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
ÚÈÏÇáÑÍãä.exepid Process 2544 ÚÈÏÇáÑÍãä.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
ÚÈÏÇáÑÍãä.exef34f3f97f3283dd08b5918805975765f_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine ÚÈÏÇáÑÍãä.exe Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
Processes:
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exepid Process 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2660-0-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2660-1-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/files/0x000c00000001315b-22.dat themida behavioral1/memory/2660-28-0x0000000007D00000-0x0000000007F21000-memory.dmp themida behavioral1/memory/2660-39-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-38-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-42-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-62-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-63-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-64-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-65-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-66-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-67-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-68-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-69-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-70-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-71-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-72-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-73-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-74-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-75-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-76-0x0000000000400000-0x0000000000621000-memory.dmp themida behavioral1/memory/2544-77-0x0000000000400000-0x0000000000621000-memory.dmp themida -
Processes:
ÚÈÏÇáÑÍãä.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ÚÈÏÇáÑÍãä.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ÚÈÏÇáÑÍãä.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\System\\ÚÈÏÇáÑÍãä.exe" f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exeÚÈÏÇáÑÍãä.exepid Process 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 2544 ÚÈÏÇáÑÍãä.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ÚÈÏÇáÑÍãä.exef34f3f97f3283dd08b5918805975765f_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ÚÈÏÇáÑÍãä.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ÚÈÏÇáÑÍãä.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ÚÈÏÇáÑÍãä.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ÚÈÏÇáÑÍãä.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exeÚÈÏÇáÑÍãä.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ÚÈÏÇáÑÍãä.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exeÚÈÏÇáÑÍãä.exepid Process 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 2544 ÚÈÏÇáÑÍãä.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ÚÈÏÇáÑÍãä.exepid Process 2544 ÚÈÏÇáÑÍãä.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exeÚÈÏÇáÑÍãä.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeSecurityPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeSystemtimePrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeBackupPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeRestorePrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeShutdownPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeDebugPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeUndockPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeManageVolumePrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeImpersonatePrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: 33 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: 34 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: 35 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeSecurityPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeTakeOwnershipPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeLoadDriverPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeSystemProfilePrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeSystemtimePrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeProfSingleProcessPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeIncBasePriorityPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeCreatePagefilePrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeBackupPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeRestorePrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeShutdownPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeDebugPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeSystemEnvironmentPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeChangeNotifyPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeRemoteShutdownPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeUndockPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeManageVolumePrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeImpersonatePrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: SeCreateGlobalPrivilege 2544 ÚÈÏÇáÑÍãä.exe Token: 33 2544 ÚÈÏÇáÑÍãä.exe Token: 34 2544 ÚÈÏÇáÑÍãä.exe Token: 35 2544 ÚÈÏÇáÑÍãä.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ÚÈÏÇáÑÍãä.exepid Process 2544 ÚÈÏÇáÑÍãä.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f34f3f97f3283dd08b5918805975765f_JaffaCakes118.execmd.exedescription pid Process procid_target PID 2660 wrote to memory of 2544 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 28 PID 2660 wrote to memory of 2544 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 28 PID 2660 wrote to memory of 2544 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 28 PID 2660 wrote to memory of 2544 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 28 PID 2660 wrote to memory of 1364 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 29 PID 2660 wrote to memory of 1364 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 29 PID 2660 wrote to memory of 1364 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 29 PID 2660 wrote to memory of 1364 2660 f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe 29 PID 1364 wrote to memory of 1356 1364 cmd.exe 31 PID 1364 wrote to memory of 1356 1364 cmd.exe 31 PID 1364 wrote to memory of 1356 1364 cmd.exe 31 PID 1364 wrote to memory of 1356 1364 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f34f3f97f3283dd08b5918805975765f_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\System\ÚÈÏÇáÑÍãä.exe"C:\System\ÚÈÏÇáÑÍãä.exe"2⤵
- Modifies firewall policy service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1356
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
5Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119B
MD5fabd378960e93ab486627346c564b17c
SHA12d04662d05b93707483b06fb8b5aa5a1befa3837
SHA256c3709a28bc47176d49e67f68676836fbcd68073c0f06966386291d571d257f16
SHA51225a452b4511daacc7ec83fa5eed6a4bdf7629cc2651f09b4d7156c1aedd2836a06995ac460a5dddff98d19dc8df31fa9d791aa127ba06d24a85a4c379784841f
-
Filesize
954KB
MD5f34f3f97f3283dd08b5918805975765f
SHA15bbd362955e0399eb760082c8371d364a09476fe
SHA256ebe99cc6d3e15292562235e4789a259fc7f6758c84dd3c963136d23fe11a208e
SHA5124659131d6ab07ba9ed14d7a46cc2334ce61b2db285b893f65cfd0e36f5bb5ed078fdfd546bb6d5c6d5bfa56342d93e69ea8889942ef476bcacc70b0d022696c3