Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 21:16
Static task
static1
Behavioral task
behavioral1
Sample
0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe
-
Size
3.1MB
-
MD5
0616bd87413ee4f31e8ff45aaf816149
-
SHA1
74f95ddbd7b4c7ebb165ac600a7e0f18c1f9906e
-
SHA256
bfaef5ebd7fa9ea692bbde3010611e3f338b6a119f4b8bd0a60b54dbada7a53e
-
SHA512
63e666d72e25239188b1a9ce51ae45368dda8214cb819e52e5504b70e5a80831a8c3c1db53f87f3ae5b72b45a70a7f238213feba163a604208e3982ee4c4511b
-
SSDEEP
49152:ZUuBTOjZwS1Ihk+hy7iHuaRZnt+NTNLiG976:ZXRO0hkr2Rxt+ev
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
wininit.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wininit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe, cmd.exe /c start c:\\windows\\wininit.exe" wininit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe, cmd.exe /c start c:\\windows\\wininit.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
wininit.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wininit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Processes:
wininit.exesvchost.exe0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
wininit.exesvchost.exepid process 2820 wininit.exe 2728 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exepid process 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
wininit.exesvchost.exe0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe -
Drops file in Windows directory 4 IoCs
Processes:
wininit.exe0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\windows\wininit.exe wininit.exe File created \??\c:\windows\wininit.exe 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe File opened for modification \??\c:\windows\wininit.exe 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe File opened for modification \??\c:\windows\RCX189F.tmp 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exewininit.exesvchost.exepid process 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe 2820 wininit.exe 2820 wininit.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe 2820 wininit.exe 2728 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
wininit.exesvchost.exepid process 2820 wininit.exe 2728 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wininit.exepid process 2820 wininit.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exedescription pid process target process PID 2808 wrote to memory of 2820 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe wininit.exe PID 2808 wrote to memory of 2820 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe wininit.exe PID 2808 wrote to memory of 2820 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe wininit.exe PID 2808 wrote to memory of 2820 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe wininit.exe PID 2808 wrote to memory of 2728 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe svchost.exe PID 2808 wrote to memory of 2728 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe svchost.exe PID 2808 wrote to memory of 2728 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe svchost.exe PID 2808 wrote to memory of 2728 2808 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe svchost.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
wininit.exesvchost.exe0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0616bd87413ee4f31e8ff45aaf816149_JaffaCakes118.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2808 -
\??\c:\windows\wininit.exec:\windows\wininit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2820 -
\??\c:\users\admin\appdata\local\svchost.exec:\users\admin\appdata\local\svchost.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:2728
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\RCX189F.tmpFilesize
3.1MB
MD5d246c44f8b8f4ad23b849bd68df1d8ba
SHA125013faddc2c160f32a9fae5c8118a9254b8c27a
SHA2564a57bc3dbaf040162b009a324a0718eb06a8fc7365aa86fb6b2d9118b584d9fe
SHA51299f3e96c14fc3be41cf9ac822d5cb6192fe3cc0e4ae26f95d9826817cba9796cb0a699abee73601bcbfbc6545734212ff294ddbae1a178a50a156511164c04e7
-
C:\Windows\wininit.exeFilesize
3.1MB
MD50616bd87413ee4f31e8ff45aaf816149
SHA174f95ddbd7b4c7ebb165ac600a7e0f18c1f9906e
SHA256bfaef5ebd7fa9ea692bbde3010611e3f338b6a119f4b8bd0a60b54dbada7a53e
SHA51263e666d72e25239188b1a9ce51ae45368dda8214cb819e52e5504b70e5a80831a8c3c1db53f87f3ae5b72b45a70a7f238213feba163a604208e3982ee4c4511b
-
memory/2728-43-0x0000000000400000-0x00000000007B5000-memory.dmpFilesize
3.7MB
-
memory/2728-53-0x0000000000400000-0x00000000007B5000-memory.dmpFilesize
3.7MB
-
memory/2808-0-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2808-40-0x0000000000400000-0x00000000007B5000-memory.dmpFilesize
3.7MB
-
memory/2820-42-0x0000000000400000-0x00000000007B5000-memory.dmpFilesize
3.7MB
-
memory/2820-52-0x0000000000400000-0x00000000007B5000-memory.dmpFilesize
3.7MB
-
memory/2820-64-0x0000000000400000-0x00000000007B5000-memory.dmpFilesize
3.7MB