Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 05:26
Behavioral task
behavioral1
Sample
1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe
-
Size
668KB
-
MD5
1f97df62030c674d61a88e16bd060018
-
SHA1
99781094b42fb86151545a81f748f563b2d7b6cb
-
SHA256
5efe38d9dfcc868f9d4e101efc39fe89c9865d6ad55de74b030b25bf72e935a2
-
SHA512
3d304a6eac8ff9b451b2ac3fd08f54b2e4fc5eeb1e510867a3413b1a21ced04dd7b010264a1e7965b426916522539815707f167fc56053bbdd12ca5fa612a178
-
SSDEEP
12288:1pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIb8:HwAcu99lPzvxP+Bsz2XjWTRMQckkIb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1f97df62030c674d61a88e16bd060018_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Windupdt\\winupdate.exe" 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
explorer.exewinupdate.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
winupdate.exeexplorer.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe -
Processes:
winupdate.exeexplorer.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
winupdate.exeexplorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winupdate.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
1f97df62030c674d61a88e16bd060018_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exe1f97df62030c674d61a88e16bd060018_JaffaCakes118.exewinupdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid Process 2216 winupdate.exe -
Loads dropped DLL 4 IoCs
Processes:
1f97df62030c674d61a88e16bd060018_JaffaCakes118.exewinupdate.exepid Process 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 2216 winupdate.exe 2216 winupdate.exe 2216 winupdate.exe -
Processes:
winupdate.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1f97df62030c674d61a88e16bd060018_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windupdt\\winupdate.exe" 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winupdate.exedescription pid Process procid_target PID 2216 set thread context of 2668 2216 winupdate.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exe1f97df62030c674d61a88e16bd060018_JaffaCakes118.exewinupdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
1f97df62030c674d61a88e16bd060018_JaffaCakes118.exewinupdate.exeexplorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 2668 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1f97df62030c674d61a88e16bd060018_JaffaCakes118.exewinupdate.exeexplorer.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeSecurityPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeSystemtimePrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeBackupPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeRestorePrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeShutdownPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeDebugPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeUndockPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeManageVolumePrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeImpersonatePrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: 33 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: 34 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: 35 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2216 winupdate.exe Token: SeSecurityPrivilege 2216 winupdate.exe Token: SeTakeOwnershipPrivilege 2216 winupdate.exe Token: SeLoadDriverPrivilege 2216 winupdate.exe Token: SeSystemProfilePrivilege 2216 winupdate.exe Token: SeSystemtimePrivilege 2216 winupdate.exe Token: SeProfSingleProcessPrivilege 2216 winupdate.exe Token: SeIncBasePriorityPrivilege 2216 winupdate.exe Token: SeCreatePagefilePrivilege 2216 winupdate.exe Token: SeBackupPrivilege 2216 winupdate.exe Token: SeRestorePrivilege 2216 winupdate.exe Token: SeShutdownPrivilege 2216 winupdate.exe Token: SeDebugPrivilege 2216 winupdate.exe Token: SeSystemEnvironmentPrivilege 2216 winupdate.exe Token: SeChangeNotifyPrivilege 2216 winupdate.exe Token: SeRemoteShutdownPrivilege 2216 winupdate.exe Token: SeUndockPrivilege 2216 winupdate.exe Token: SeManageVolumePrivilege 2216 winupdate.exe Token: SeImpersonatePrivilege 2216 winupdate.exe Token: SeCreateGlobalPrivilege 2216 winupdate.exe Token: 33 2216 winupdate.exe Token: 34 2216 winupdate.exe Token: 35 2216 winupdate.exe Token: SeRestorePrivilege 2216 winupdate.exe Token: SeBackupPrivilege 2216 winupdate.exe Token: SeIncreaseQuotaPrivilege 2668 explorer.exe Token: SeSecurityPrivilege 2668 explorer.exe Token: SeTakeOwnershipPrivilege 2668 explorer.exe Token: SeLoadDriverPrivilege 2668 explorer.exe Token: SeSystemProfilePrivilege 2668 explorer.exe Token: SeSystemtimePrivilege 2668 explorer.exe Token: SeProfSingleProcessPrivilege 2668 explorer.exe Token: SeIncBasePriorityPrivilege 2668 explorer.exe Token: SeCreatePagefilePrivilege 2668 explorer.exe Token: SeBackupPrivilege 2668 explorer.exe Token: SeRestorePrivilege 2668 explorer.exe Token: SeShutdownPrivilege 2668 explorer.exe Token: SeDebugPrivilege 2668 explorer.exe Token: SeSystemEnvironmentPrivilege 2668 explorer.exe Token: SeChangeNotifyPrivilege 2668 explorer.exe Token: SeRemoteShutdownPrivilege 2668 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid Process 2668 explorer.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
1f97df62030c674d61a88e16bd060018_JaffaCakes118.exewinupdate.exedescription pid Process procid_target PID 2156 wrote to memory of 1632 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 28 PID 2156 wrote to memory of 1632 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 28 PID 2156 wrote to memory of 1632 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 28 PID 2156 wrote to memory of 1632 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 28 PID 2156 wrote to memory of 2216 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 29 PID 2156 wrote to memory of 2216 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 29 PID 2156 wrote to memory of 2216 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 29 PID 2156 wrote to memory of 2216 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 29 PID 2156 wrote to memory of 2216 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 29 PID 2156 wrote to memory of 2216 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 29 PID 2156 wrote to memory of 2216 2156 1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe 29 PID 2216 wrote to memory of 2668 2216 winupdate.exe 30 PID 2216 wrote to memory of 2668 2216 winupdate.exe 30 PID 2216 wrote to memory of 2668 2216 winupdate.exe 30 PID 2216 wrote to memory of 2668 2216 winupdate.exe 30 PID 2216 wrote to memory of 2668 2216 winupdate.exe 30 PID 2216 wrote to memory of 2668 2216 winupdate.exe 30 PID 2216 wrote to memory of 2668 2216 winupdate.exe 30 PID 2216 wrote to memory of 2668 2216 winupdate.exe 30 PID 2216 wrote to memory of 2668 2216 winupdate.exe 30 -
System policy modification 1 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" winupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f97df62030c674d61a88e16bd060018_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\Windupdt\winupdate.exe"C:\Users\Admin\AppData\Local\Temp\Windupdt\winupdate.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2216 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
668KB
MD51f97df62030c674d61a88e16bd060018
SHA199781094b42fb86151545a81f748f563b2d7b6cb
SHA2565efe38d9dfcc868f9d4e101efc39fe89c9865d6ad55de74b030b25bf72e935a2
SHA5123d304a6eac8ff9b451b2ac3fd08f54b2e4fc5eeb1e510867a3413b1a21ced04dd7b010264a1e7965b426916522539815707f167fc56053bbdd12ca5fa612a178