Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
04368110d5ce090681d01deaadea2409_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
04368110d5ce090681d01deaadea2409_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
04368110d5ce090681d01deaadea2409_JaffaCakes118.exe
-
Size
747KB
-
MD5
04368110d5ce090681d01deaadea2409
-
SHA1
37e7ae7b04b6511ec525a0c23a4d5211438f0cdc
-
SHA256
09e7e0993d2c44f85eb203e790a8e77004b59b09c69b93efe8151b2c366a3978
-
SHA512
06977afcfffda85e58f16da09d86619156d2ba61140605a57e7e233cb219ac6e9ecc25466d4388cfeb7e6f00f4d706dfcb79e938c4abaa7629077de84bcbe652
-
SSDEEP
12288:chkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcbNt0vACQ:URmJkcoQricOIQxiZY1WNyYCQ
Malware Config
Signatures
-
Processes:
04368110d5ce090681d01deaadea2409_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe -
Drops file in Drivers directory 2 IoCs
Processes:
04368110d5ce090681d01deaadea2409_JaffaCakes118.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04368110d5ce090681d01deaadea2409_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V = "C:\\Windows\\Editasalva.exe" 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe -
Processes:
04368110d5ce090681d01deaadea2409_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4540-0-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
Processes:
04368110d5ce090681d01deaadea2409_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\systemfile.txt 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
04368110d5ce090681d01deaadea2409_JaffaCakes118.exedescription ioc process File created C:\Windows\Editasalva.exe 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe File opened for modification C:\Windows\Editasalva.exe 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
04368110d5ce090681d01deaadea2409_JaffaCakes118.exepid process 4540 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe 4540 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe 4540 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
04368110d5ce090681d01deaadea2409_JaffaCakes118.exepid process 4540 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe 4540 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe 4540 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
04368110d5ce090681d01deaadea2409_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04368110d5ce090681d01deaadea2409_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04368110d5ce090681d01deaadea2409_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04368110d5ce090681d01deaadea2409_JaffaCakes118.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\drivers\etc\hostsFilesize
1KB
MD546ba454edc9d9038b2e3f4b6fea4849d
SHA199d2069256ce74899ff67e5c06ef3d4052ef4ab4
SHA25699e4b9f09b7f675428038c9e1d72531dafe9f2534593c53711481028d7120864
SHA512e217cb8f5cef48756167327df6ccd5406d45c00064615cdd84abbbbffb910a83e1563149a33c272eeb5e5dc9d134e31236e0f105e3a7aefef8d6f2fd294306f2
-
memory/4540-0-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB