130cc52f96d1bec9ad6febf7986fa7fef9ebfb36830fb393c2b87cce7374c0a1

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Size

167KB
MD5

f8833bbe07a0897f442d62d1b6ee1e1c
SHA1

d3953783b91068e26ca63568c92eea0b2b9a62ac
SHA256

130cc52f96d1bec9ad6febf7986fa7fef9ebfb36830fb393c2b87cce7374c0a1
SHA512

b20676295c0bb94e671c8cce0862259bb4c38a13da9942b3351ac98ef59e3807a4b97e54eb9689569a9acb6e2a8b3600f5209ccd4a79e9bfbadd086b9e0298fd
SSDEEP

1536:GjcznvDjY/u7RLw5gbNsGwDF8JD0+EexHL0Q0/T:GjIvDjnxrnqF8VEexoQ+T

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\Microsoft-Driver-1-82-8475-5627-5645\winrsvn.exe = "C:\\Users\\Admin\\Microsoft-Driver-1-82-8475-5627-5645\\winrsvn.exe:*:Enabled:Microsoft(R) Update Service"	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	winrsvn.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
2832	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft(R) Update Service = "C:\\Users\\Admin\\Microsoft-Driver-1-82-8475-5627-5645\\winrsvn.exe"	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2656 set thread context of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: 33	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2656 wrote to memory of 2832	2656	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	28
PID 2832 wrote to memory of 2724	2832	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2724	2832	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2724	2832	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2724	2832	f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe	29
PID 2724 wrote to memory of 2608	2724	winrsvn.exe	30
PID 2724 wrote to memory of 2608	2724	winrsvn.exe	30
PID 2724 wrote to memory of 2608	2724	winrsvn.exe	30
PID 2724 wrote to memory of 2608	2724	winrsvn.exe	30

C:\Users\Admin\AppData\Local\Temp\f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f8833bbe07a0897f442d62d1b6ee1e1c_JaffaCakes118.exe
  2⤵
  - Modifies firewall policy service
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\Microsoft-Driver-1-82-8475-5627-5645\winrsvn.exe
    "C:\Users\Admin\Microsoft-Driver-1-82-8475-5627-5645\winrsvn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\Microsoft-Driver-1-82-8475-5627-5645\winrsvn.exe
      C:\Users\Admin\Microsoft-Driver-1-82-8475-5627-5645\winrsvn.exe
      4⤵
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Microsoft-Driver-1-82-8475-5627-5645\winrsvn.exe

Filesize
128KB

MD5
5963ad5dedc53c7b6376c9c925b1bda4

SHA1
5b9319e3176022ffa9d72a5702eed151aeec333f

SHA256
21dda96226bcf5b563869b2be795031427fbc6a9d56072f59dfbd6be2c693214

SHA512
41d798e61a307fa2b6e0b32fb8a5bf4edfe5e05a664b4a49c5856777174d2dc959cc92c6a1997b60ae5b7664c35a5df6c19b09fbe669d31d017625510e1963d8

Download Submit
memory/2656-1-0x0000000000360000-0x000000000038F000-memory.dmp

Filesize
188KB

Download
memory/2656-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-25-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-15-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-18-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-35-0x0000000002D50000-0x0000000002D7F000-memory.dmp

Filesize
188KB

Download
memory/2832-24-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads