Analysis
-
max time kernel
141s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 09:37
Static task
static1
Behavioral task
behavioral1
Sample
04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe
-
Size
108KB
-
MD5
04e4e986fb3025d5279cd7c51893247e
-
SHA1
cf743ea80ed77d3c74b17cf5610ca150207bc0cb
-
SHA256
503ef81e6f8818b4a1a0012d045d8a1a433375cff6f554751fd430fe8234a45a
-
SHA512
2fc41ad1151c5de8f3d48895e08a0d727e654414a25e74a4dd6d5b8678efaaf7995ce640ac233e4e347a11a86d209ad685a0c551465508ae353521ebbac97a6e
-
SSDEEP
768:0Xne9SLNE6yDCAtSt6b3yFhBVNsx4MOZjFB4xbyv0DVtaxuK9lta5qCqeq6qWqS2:0X9EZ1rahBY2VZjFK2sBt2tIA
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexplorer = "C:\\Windows\\iexplorer.exe" 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exedescription pid process target process PID 2324 set thread context of 1160 2324 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe -
Drops file in Windows directory 4 IoCs
Processes:
04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exedescription ioc process File opened for modification C:\WINDOWS\system\wincal.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe File created C:\Windows\iexplorer.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe File opened for modification C:\Windows\iexplorer.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe File created C:\WINDOWS\system\wincal.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exepid process 2324 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe 1160 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.execmd.exedescription pid process target process PID 2324 wrote to memory of 1160 2324 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe PID 2324 wrote to memory of 1160 2324 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe PID 2324 wrote to memory of 1160 2324 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe PID 2324 wrote to memory of 1160 2324 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe PID 2324 wrote to memory of 1160 2324 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe PID 2324 wrote to memory of 1160 2324 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe PID 2324 wrote to memory of 1160 2324 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe PID 2324 wrote to memory of 1160 2324 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe PID 1160 wrote to memory of 744 1160 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe cmd.exe PID 1160 wrote to memory of 744 1160 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe cmd.exe PID 1160 wrote to memory of 744 1160 04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe cmd.exe PID 744 wrote to memory of 1004 744 cmd.exe reg.exe PID 744 wrote to memory of 1004 744 cmd.exe reg.exe PID 744 wrote to memory of 1004 744 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04e4e986fb3025d5279cd7c51893247e_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
PID:1004
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD504e4e986fb3025d5279cd7c51893247e
SHA1cf743ea80ed77d3c74b17cf5610ca150207bc0cb
SHA256503ef81e6f8818b4a1a0012d045d8a1a433375cff6f554751fd430fe8234a45a
SHA5122fc41ad1151c5de8f3d48895e08a0d727e654414a25e74a4dd6d5b8678efaaf7995ce640ac233e4e347a11a86d209ad685a0c551465508ae353521ebbac97a6e