Overview
overview
10Static
static
31791f9961b...18.exe
windows7-x64
101791f9961b...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$TEMP/fireguard.dll
windows7-x64
3$TEMP/fireguard.dll
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 11:59
Static task
static1
Behavioral task
behavioral1
Sample
1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$TEMP/fireguard.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$TEMP/fireguard.dll
Resource
win10v2004-20240419-en
General
-
Target
1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe
-
Size
401KB
-
MD5
1791f9961bf2f47483340dbf27282628
-
SHA1
e0595377579cd093ff5caa8bdab5893094d294e5
-
SHA256
8fc177801ebf737d388b516947106943c8bd3c6b4b3c1ed72486621b617cc397
-
SHA512
c6e81d0c7389e785d2be6cdafce36bc7c536a983ff178f4bc6f85ea3587ea77336c4db4bc6d375bd0f155b218c3dac65f0f74847f3c0a6b3db6c4f9b83feadf5
-
SSDEEP
12288:iOn6slzSR6croLZLontmIEGhmdyegN5KD/k:iOn6s06goLkNAPe
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ztnb.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5qw5k9i5535gk.exe nslookup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5qw5k9i5535gk.exe\DisableExceptionChainValidation nslookup.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 68392 nslookup.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nslookup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nslookup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe 68516 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 68392 nslookup.exe 68392 nslookup.exe 68516 explorer.exe 68516 explorer.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 68392 nslookup.exe Token: SeRestorePrivilege 68392 nslookup.exe Token: SeBackupPrivilege 68392 nslookup.exe Token: SeLoadDriverPrivilege 68392 nslookup.exe Token: SeCreatePagefilePrivilege 68392 nslookup.exe Token: SeShutdownPrivilege 68392 nslookup.exe Token: SeTakeOwnershipPrivilege 68392 nslookup.exe Token: SeChangeNotifyPrivilege 68392 nslookup.exe Token: SeCreateTokenPrivilege 68392 nslookup.exe Token: SeMachineAccountPrivilege 68392 nslookup.exe Token: SeSecurityPrivilege 68392 nslookup.exe Token: SeAssignPrimaryTokenPrivilege 68392 nslookup.exe Token: SeCreateGlobalPrivilege 68392 nslookup.exe Token: 33 68392 nslookup.exe Token: SeDebugPrivilege 68516 explorer.exe Token: SeRestorePrivilege 68516 explorer.exe Token: SeBackupPrivilege 68516 explorer.exe Token: SeLoadDriverPrivilege 68516 explorer.exe Token: SeCreatePagefilePrivilege 68516 explorer.exe Token: SeShutdownPrivilege 68516 explorer.exe Token: SeTakeOwnershipPrivilege 68516 explorer.exe Token: SeChangeNotifyPrivilege 68516 explorer.exe Token: SeCreateTokenPrivilege 68516 explorer.exe Token: SeMachineAccountPrivilege 68516 explorer.exe Token: SeSecurityPrivilege 68516 explorer.exe Token: SeAssignPrimaryTokenPrivilege 68516 explorer.exe Token: SeCreateGlobalPrivilege 68516 explorer.exe Token: 33 68516 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 2308 wrote to memory of 68392 2308 1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe 28 PID 68392 wrote to memory of 68516 68392 nslookup.exe 29 PID 68392 wrote to memory of 68516 68392 nslookup.exe 29 PID 68392 wrote to memory of 68516 68392 nslookup.exe 29 PID 68392 wrote to memory of 68516 68392 nslookup.exe 29 PID 68392 wrote to memory of 68516 68392 nslookup.exe 29 PID 68392 wrote to memory of 68516 68392 nslookup.exe 29 PID 68392 wrote to memory of 68516 68392 nslookup.exe 29
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1791f9961bf2f47483340dbf27282628_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe"3⤵
- Sets file execution options in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:68392 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:68516
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517B
MD5893cae59ab5945a94a7da007d47a1255
SHA1d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06
SHA256edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938
SHA512d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9
-
Filesize
69KB
MD50b5dbd2725bc7b0697f9ddeab360920f
SHA15b3feef13a8932f40cb6a55e6ca0df39cdc731b3
SHA256eed5d36879e2d0bee35d885b9546772c00d3f34115c4e23916cccfe87e33ea82
SHA512773a51541bd7c5f6ee1817b78ad156a8c81c060bc030a0b1f232ddcecabc873ae06b46fd038d44060ad283fd27137ef67854e18fd611157e828b5d8c0b5a6ac9
-
Filesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06