Resubmissions
18-05-2024 14:39
240518-r1dttsgc3s 6Analysis
-
max time kernel
71s -
max time network
70s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 14:39
Static task
static1
Behavioral task
behavioral1
Sample
4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe
-
Size
268KB
-
MD5
4d68507752275a8607502b0ae14ef9a1
-
SHA1
4e13b8267ca39e41b9dbf88dc3123fed37e409c0
-
SHA256
6fee95a3e283d9ad09a399e99b086ef70c3679eb8ad548161bdfababe3da68fb
-
SHA512
bbebbd027af9e953141efecbfde31137735d58e54ff26966475570c7414ddc03ee53636011fad404d60c8df0031a79d5f2b858819ded59428ead93a5d9732849
-
SSDEEP
6144:dI4M7nO35HbqtMFurLa8BqUlv8TqE4TvLOJ5tEpo6LlE7:aj6qsE8UVk4TotEpNLlE
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Foebdo = "C:\\Users\\Admin\\AppData\\Roaming\\Ofhai\\ogeg.exe" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3664 set thread context of 3148 3664 4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe 101 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31107377" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f076f35231a9da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31107377" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1386071494" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004f8caa1c9f4cba428e26b677a31a634000000000020000000000106600000001000020000000926539895d2f3a8d4016e0367cda8a8f1b5139f42ac811f30084a0da70311fec000000000e8000000002000020000000adae4b7dcdeba46748394c9adcd1b1841534ec0634676ee2a3e1d7c44a5948982000000078b0cd1b694a9c93674d9f789dd2857c35ec97944a205c6cbc2ec6c6bb7c65644000000051ced35f9f4193d8b9d1adc644db9912a18d96b7e8594fddbad645d193b9e8e941dc2e7207d5a6a202f2f9d78ab761471efc32c762e14d997ba5078c46273be3 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1386071494" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7E284D33-1524-11EF-A2D1-76A3C14B7D9C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004f8caa1c9f4cba428e26b677a31a6340000000000200000000001066000000010000200000008f8b913001cb341a2841bd9fcabfc8c192b880d4baac7afac64a59cbcb72dfd4000000000e8000000002000020000000cd6eaad7a4114e7b4662c359e86bcd4445ea5a54fa1cbb6f6b3fea86b57975e620000000d61cfc17529569a212298e26de1c1b10a5f56499b149156ccb9d8a61e49403e240000000499bfc3f82a256a7ccec96d85484b8be29bd54b24c474ac1a5dbdcbdbbf9a77bbdefd536613500e71bd17781241b0b1b3d735e93996e9e626232d048ca8cd3c1 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00bcee5231a9da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeSecurityPrivilege 3148 msiexec.exe Token: SeSecurityPrivilege 3148 msiexec.exe Token: SeDebugPrivilege 3560 taskmgr.exe Token: SeSystemProfilePrivilege 3560 taskmgr.exe Token: SeCreateGlobalPrivilege 3560 taskmgr.exe Token: 33 3560 taskmgr.exe Token: SeIncBasePriorityPrivilege 3560 taskmgr.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
pid Process 3652 iexplore.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe -
Suspicious use of SendNotifyMessage 55 IoCs
pid Process 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3652 iexplore.exe 3652 iexplore.exe 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3652 wrote to memory of 1056 3652 iexplore.exe 97 PID 3652 wrote to memory of 1056 3652 iexplore.exe 97 PID 3652 wrote to memory of 1056 3652 iexplore.exe 97 PID 3664 wrote to memory of 3148 3664 4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe 101 PID 3664 wrote to memory of 3148 3664 4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe 101 PID 3664 wrote to memory of 3148 3664 4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe 101 PID 3664 wrote to memory of 3148 3664 4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe 101 PID 3664 wrote to memory of 3148 3664 4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4d68507752275a8607502b0ae14ef9a1_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\DisableUnprotect.gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3652 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1056
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD51a24b12242ec79df20d43490ff46a180
SHA1b6c093eb7b21033e45f2e2627007b11db3accacd
SHA25609ed7b3c274f2d75cb56b6f392c6cd0e33539162d888fe2ea8cb8affd826b7cf
SHA51214d9db6787b4346f57fbf6556fa00fcf484547b769a6d813a3dbacb7b80c54f599864d893f7270970e6e2ac80ab8a8499cb8fd0f3a93eaa31c7b2b1f25af1e2b
-
Filesize
268KB
MD54d68507752275a8607502b0ae14ef9a1
SHA14e13b8267ca39e41b9dbf88dc3123fed37e409c0
SHA2566fee95a3e283d9ad09a399e99b086ef70c3679eb8ad548161bdfababe3da68fb
SHA512bbebbd027af9e953141efecbfde31137735d58e54ff26966475570c7414ddc03ee53636011fad404d60c8df0031a79d5f2b858819ded59428ead93a5d9732849