Analysis
-
max time kernel
143s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/04/2024, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
fe3cc33f61d6537b780ec831b2702e69_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fe3cc33f61d6537b780ec831b2702e69_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fe3cc33f61d6537b780ec831b2702e69_JaffaCakes118.exe
-
Size
469KB
-
MD5
fe3cc33f61d6537b780ec831b2702e69
-
SHA1
b76837e6bd7e0e4a892db5012f5588c364dec3ae
-
SHA256
10459bf15b06bd9a38ad9fa4179ffa8c0dbb8ac84b38ee53eb315cc4c754f22f
-
SHA512
efbf9b14c9dcba1c5454600c4231e8937f648e227c6b237a672b417646e96ab4067defc3aa96fb1467cae19a8355622ae3acfe463991243e951ec52f20225d18
-
SSDEEP
12288:Fb7jkD3v0VBRxE5MBGlcM7UdTAT7UZWG1j3FLiUh:Fb3w3v8BRqEM7UdaU1j35i
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2716 picture.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 fe3cc33f61d6537b780ec831b2702e69_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 picture.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat picture.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\picture.exe fe3cc33f61d6537b780ec831b2702e69_JaffaCakes118.exe File opened for modification C:\Windows\picture.exe fe3cc33f61d6537b780ec831b2702e69_JaffaCakes118.exe -
Modifies data under HKEY_USERS 28 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 picture.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-d1-6a-f7-7f-ab\WpadDecisionTime = 6061fd229593da01 picture.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections picture.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 picture.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings picture.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\ba-d1-6a-f7-7f-ab picture.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" picture.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix picture.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-d1-6a-f7-7f-ab picture.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\WpadDecisionReason = "1" picture.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\WpadNetworkName = "Network 3" picture.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-d1-6a-f7-7f-ab\WpadDecision = "0" picture.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" picture.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-d1-6a-f7-7f-ab\WpadDecisionReason = "1" picture.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\WpadDecisionTime = 6061fd229593da01 picture.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 picture.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad picture.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-d1-6a-f7-7f-ab\WpadDecisionTime = e0538ff19493da01 picture.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-d1-6a-f7-7f-ab\WpadDetectedUrl picture.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings picture.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" picture.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\WpadDecision = "0" picture.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\WpadDecisionTime = e0538ff19493da01 picture.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ picture.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" picture.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" picture.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 picture.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB} picture.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1656 fe3cc33f61d6537b780ec831b2702e69_JaffaCakes118.exe Token: SeDebugPrivilege 2716 picture.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2716 picture.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2456 2716 picture.exe 29 PID 2716 wrote to memory of 2456 2716 picture.exe 29 PID 2716 wrote to memory of 2456 2716 picture.exe 29 PID 2716 wrote to memory of 2456 2716 picture.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe3cc33f61d6537b780ec831b2702e69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe3cc33f61d6537b780ec831b2702e69_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
C:\Windows\picture.exeC:\Windows\picture.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
469KB
MD5fe3cc33f61d6537b780ec831b2702e69
SHA1b76837e6bd7e0e4a892db5012f5588c364dec3ae
SHA25610459bf15b06bd9a38ad9fa4179ffa8c0dbb8ac84b38ee53eb315cc4c754f22f
SHA512efbf9b14c9dcba1c5454600c4231e8937f648e227c6b237a672b417646e96ab4067defc3aa96fb1467cae19a8355622ae3acfe463991243e951ec52f20225d18