Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 10:29
Static task
static1
Behavioral task
behavioral1
Sample
3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe
-
Size
70KB
-
MD5
3f09fbc368f17edb61193d5db5ee0749
-
SHA1
e6b725fcf7c69c251ca05b6fac7816c0b9579d52
-
SHA256
253c088b88328696a1b70dd570fb0372c912a7b7a5eeb703d2cc7d29b2cdbf32
-
SHA512
d068ca2291e4363ef070b0d2bfe81adc7eb656d978c97c22f7e6bd6b5a4b5a2939fe996753ce0d3cf7271cf45a346dfc9297e92bd00e4798804b9db37d0aa2b9
-
SSDEEP
1536:CNCRz5fBMn24kEuqzcEjI+uYJU1YRqo1Wujp2zN5X:tiHkEuqdVBUEqo/l2zN9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SHELL = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\KB8777677\\KB8777677.exe\"" svchost.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KB8777677 = "\"C:\\Users\\Admin\\AppData\\Local\\KB8777677\\KB8777677.exe\"" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KB8777677 = "\"C:\\Users\\Admin\\AppData\\Local\\KB8777677\\KB8777677.exe\"" svchost.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 2668 svchost.exe -
resource yara_rule behavioral2/memory/2804-2-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2804-3-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2804-4-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2804-5-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2804-10-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2668-15-0x0000000000BD0000-0x0000000000BED000-memory.dmp upx behavioral2/memory/2668-17-0x0000000000BD0000-0x0000000000BED000-memory.dmp upx behavioral2/memory/2668-18-0x0000000000BD0000-0x0000000000BED000-memory.dmp upx behavioral2/memory/2668-20-0x0000000000BD0000-0x0000000000BED000-memory.dmp upx behavioral2/memory/2668-21-0x0000000000BD0000-0x0000000000BED000-memory.dmp upx behavioral2/memory/2668-26-0x0000000000BD0000-0x0000000000BED000-memory.dmp upx behavioral2/memory/2668-36-0x0000000000BD0000-0x0000000000BED000-memory.dmp upx behavioral2/memory/2668-59-0x0000000000BD0000-0x0000000000BED000-memory.dmp upx behavioral2/memory/2668-66-0x0000000000BD0000-0x0000000000BED000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KB8777677 = "\"C:\\Users\\Admin\\AppData\\Local\\KB8777677\\KB8777677.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KB8777677 = "\"C:\\Users\\Admin\\AppData\\Local\\KB8777677\\KB8777677.exe\"" svchost.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable AutoImageResize = "yes" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "yes" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\UseThemes = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes" svchost.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3216 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 1528 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3216 wrote to memory of 2804 3216 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 82 PID 3216 wrote to memory of 2804 3216 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 82 PID 3216 wrote to memory of 2804 3216 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 82 PID 2804 wrote to memory of 1528 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 83 PID 2804 wrote to memory of 1528 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 83 PID 2804 wrote to memory of 1528 2804 3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe 83 PID 1528 wrote to memory of 2668 1528 svchost.exe 87 PID 1528 wrote to memory of 2668 1528 svchost.exe 87 PID 1528 wrote to memory of 2668 1528 svchost.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f09fbc368f17edb61193d5db5ee0749_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\svchost.exe"svchost.exe" path<<c:\users\admin\appdata\local\temp\3f09fbc368f17edb61193d5db5ee0749_jaffacakes118.exe>>path3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\svchost.exe"svchost.exe" path<<c:\users\admin\appdata\local\temp\3f09fbc368f17edb61193d5db5ee0749_jaffacakes118.exe>>path4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Deletes itself
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:2668
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD53f09fbc368f17edb61193d5db5ee0749
SHA1e6b725fcf7c69c251ca05b6fac7816c0b9579d52
SHA256253c088b88328696a1b70dd570fb0372c912a7b7a5eeb703d2cc7d29b2cdbf32
SHA512d068ca2291e4363ef070b0d2bfe81adc7eb656d978c97c22f7e6bd6b5a4b5a2939fe996753ce0d3cf7271cf45a346dfc9297e92bd00e4798804b9db37d0aa2b9