Analysis
-
max time kernel
69s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27/04/2024, 00:38
Behavioral task
behavioral1
Sample
0204e2465371377f2387d1f149616917_JaffaCakes118.exe
Resource
win7-20231129-en
Errors
General
-
Target
0204e2465371377f2387d1f149616917_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
0204e2465371377f2387d1f149616917
-
SHA1
9d459b959107d2f55eb19ab160aee8e29404c2dd
-
SHA256
cfcab6159d2a014d4aa30e82e3303fc1a885e5045dc71c5a1329abed821ff154
-
SHA512
5a13c7e0bc654a61f95f5253f5976c5543fd03755e9c33c7dc938e107aa7b67e6837666266a597e8f3a8bba78c62447fd3e728ca82e79da2af466734331f0e98
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZp:0UzeyQMS4DqodCnoe+iitjWwwd
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0204e2465371377f2387d1f149616917_JaffaCakes118.exe 0204e2465371377f2387d1f149616917_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0204e2465371377f2387d1f149616917_JaffaCakes118.exe 0204e2465371377f2387d1f149616917_JaffaCakes118.exe -
Executes dropped EXE 15 IoCs
pid Process 780 explorer.exe 4628 explorer.exe 4636 spoolsv.exe 1176 spoolsv.exe 4668 spoolsv.exe 2556 spoolsv.exe 4704 spoolsv.exe 776 spoolsv.exe 4300 spoolsv.exe 1516 spoolsv.exe 3900 spoolsv.exe 3580 spoolsv.exe 2128 spoolsv.exe 3864 spoolsv.exe 4788 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1096 set thread context of 1052 1096 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 88 PID 780 set thread context of 4628 780 explorer.exe 97 -
Drops file in Windows directory 17 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe 0204e2465371377f2387d1f149616917_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini 0204e2465371377f2387d1f149616917_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1052 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 1052 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1052 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 1052 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe 4628 explorer.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1096 wrote to memory of 3408 1096 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 83 PID 1096 wrote to memory of 3408 1096 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 83 PID 1096 wrote to memory of 1052 1096 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 88 PID 1096 wrote to memory of 1052 1096 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 88 PID 1096 wrote to memory of 1052 1096 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 88 PID 1096 wrote to memory of 1052 1096 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 88 PID 1096 wrote to memory of 1052 1096 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 88 PID 1052 wrote to memory of 780 1052 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 89 PID 1052 wrote to memory of 780 1052 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 89 PID 1052 wrote to memory of 780 1052 0204e2465371377f2387d1f149616917_JaffaCakes118.exe 89 PID 780 wrote to memory of 4628 780 explorer.exe 97 PID 780 wrote to memory of 4628 780 explorer.exe 97 PID 780 wrote to memory of 4628 780 explorer.exe 97 PID 780 wrote to memory of 4628 780 explorer.exe 97 PID 780 wrote to memory of 4628 780 explorer.exe 97 PID 4628 wrote to memory of 4636 4628 explorer.exe 98 PID 4628 wrote to memory of 4636 4628 explorer.exe 98 PID 4628 wrote to memory of 4636 4628 explorer.exe 98 PID 4628 wrote to memory of 1176 4628 explorer.exe 99 PID 4628 wrote to memory of 1176 4628 explorer.exe 99 PID 4628 wrote to memory of 1176 4628 explorer.exe 99 PID 4628 wrote to memory of 4668 4628 explorer.exe 100 PID 4628 wrote to memory of 4668 4628 explorer.exe 100 PID 4628 wrote to memory of 4668 4628 explorer.exe 100 PID 4628 wrote to memory of 2556 4628 explorer.exe 101 PID 4628 wrote to memory of 2556 4628 explorer.exe 101 PID 4628 wrote to memory of 2556 4628 explorer.exe 101 PID 4628 wrote to memory of 4704 4628 explorer.exe 102 PID 4628 wrote to memory of 4704 4628 explorer.exe 102 PID 4628 wrote to memory of 4704 4628 explorer.exe 102 PID 4628 wrote to memory of 776 4628 explorer.exe 103 PID 4628 wrote to memory of 776 4628 explorer.exe 103 PID 4628 wrote to memory of 776 4628 explorer.exe 103 PID 4628 wrote to memory of 4300 4628 explorer.exe 104 PID 4628 wrote to memory of 4300 4628 explorer.exe 104 PID 4628 wrote to memory of 4300 4628 explorer.exe 104 PID 4628 wrote to memory of 1516 4628 explorer.exe 105 PID 4628 wrote to memory of 1516 4628 explorer.exe 105 PID 4628 wrote to memory of 1516 4628 explorer.exe 105 PID 4628 wrote to memory of 3900 4628 explorer.exe 106 PID 4628 wrote to memory of 3900 4628 explorer.exe 106 PID 4628 wrote to memory of 3900 4628 explorer.exe 106 PID 4628 wrote to memory of 3580 4628 explorer.exe 107 PID 4628 wrote to memory of 3580 4628 explorer.exe 107 PID 4628 wrote to memory of 3580 4628 explorer.exe 107 PID 4628 wrote to memory of 2128 4628 explorer.exe 110 PID 4628 wrote to memory of 2128 4628 explorer.exe 110 PID 4628 wrote to memory of 2128 4628 explorer.exe 110 PID 4628 wrote to memory of 3864 4628 explorer.exe 111 PID 4628 wrote to memory of 3864 4628 explorer.exe 111 PID 4628 wrote to memory of 3864 4628 explorer.exe 111 PID 4628 wrote to memory of 4788 4628 explorer.exe 112 PID 4628 wrote to memory of 4788 4628 explorer.exe 112 PID 4628 wrote to memory of 4788 4628 explorer.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\0204e2465371377f2387d1f149616917_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0204e2465371377f2387d1f149616917_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3408
-
-
C:\Users\Admin\AppData\Local\Temp\0204e2465371377f2387d1f149616917_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0204e2465371377f2387d1f149616917_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4636
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1176
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4668
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2556
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4704
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:776
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4300
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1516
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3900
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3580
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2128
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3864
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4788
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:932
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5e0ab8dd44af5fcd814bfc2fdb1d43729
SHA1f8505f0f88f09dc1671b661ba0ae3606a84ed3c1
SHA256ab2635c382d39d4299429e09cef37ba5a583df64f7a16654e5ab55c6f311c96d
SHA512db82f8882c150db7b4dae0e8690dfd088346a7380d844e0acadd33b4262a2b6ef927372f6217ed1df786108ae7836053dc8ddab0c780cee544789b2ef8af231e
-
Filesize
2.2MB
MD563677dffcf0466971e740ed46b411c61
SHA1987f97e95c99cbdf5f38f910f0fbd719fa9869fd
SHA2562a44ca50049605ad56e0048ea2e2b93326bfd3f0216f563e9d5f4c50950d77d1
SHA51226bed6fc40470d95b39edff5a0900bf980ea212bbd4ae1da8505f2a695e4222445b213221edc0279b26f894898e53ce33f20b299ae49d1c8808bb517c93f5316