Analysis
-
max time kernel
118s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 23:32
Static task
static1
Behavioral task
behavioral1
Sample
6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
6902bbf6691e2ce016859066f9959a7f
-
SHA1
2aaa79cb56458eb8d6db867fdb34fe8535b995db
-
SHA256
0fb87ea5c45560676f963358531e27d8f368c7a7f4de66d24b93964c6a46c179
-
SHA512
06ae9b01f79ecb7cba3dc88a5b465fa123ff967c75721832308523fcd8aa3eeae8db090cff31493c27c2f6c60a53b5777d4dda251d24f5f2464f103d30da0960
-
SSDEEP
49152:yiqXjFPE6KQaqz5HgrqhPLKqXZj8wTbDyhsotbgJSg79g3Ze7:yzzFM7q1Hg2hP2o3o
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost_ms.exesvchost_ms.exepid process 2656 svchost_ms.exe 2552 svchost_ms.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2592 cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
svchost_ms.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost_ms.exe -
Drops file in Program Files directory 4 IoCs
Processes:
6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exesvchost_ms.exedescription ioc process File created C:\Program Files (x86)\SmartData\svchost_ms.exe 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\SmartData\svchost_ms.exe 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe File created C:\Program Files (x86)\SmartData\performer.exe svchost_ms.exe File opened for modification C:\Program Files (x86)\SmartData\performer.exe svchost_ms.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Bios 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
svchost_ms.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D3497282-776F-4401-8CBB-107479D20ACE} svchost_ms.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D3497282-776F-4401-8CBB-107479D20ACE}\12-a6-cd-1f-46-65 svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost_ms.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost_ms.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost_ms.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost_ms.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D3497282-776F-4401-8CBB-107479D20ACE}\WpadDecisionTime = 90209162a0acda01 svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost_ms.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost_ms.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D3497282-776F-4401-8CBB-107479D20ACE}\WpadNetworkName = "Network 3" svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D3497282-776F-4401-8CBB-107479D20ACE}\WpadDecisionReason = "1" svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D3497282-776F-4401-8CBB-107479D20ACE}\WpadDecision = "0" svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost_ms.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-a6-cd-1f-46-65\WpadDecisionReason = "1" svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-a6-cd-1f-46-65\WpadDecision = "0" svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-a6-cd-1f-46-65 svchost_ms.exe -
Processes:
6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exesvchost_ms.exepid process 2936 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe 2552 svchost_ms.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost_ms.exedescription pid process Token: SeTcbPrivilege 2552 svchost_ms.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.execmd.exedescription pid process target process PID 2936 wrote to memory of 2592 2936 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe cmd.exe PID 2936 wrote to memory of 2592 2936 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe cmd.exe PID 2936 wrote to memory of 2592 2936 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe cmd.exe PID 2936 wrote to memory of 2592 2936 6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe cmd.exe PID 2592 wrote to memory of 2540 2592 cmd.exe choice.exe PID 2592 wrote to memory of 2540 2592 cmd.exe choice.exe PID 2592 wrote to memory of 2540 2592 cmd.exe choice.exe PID 2592 wrote to memory of 2540 2592 cmd.exe choice.exe PID 2592 wrote to memory of 2656 2592 cmd.exe svchost_ms.exe PID 2592 wrote to memory of 2656 2592 cmd.exe svchost_ms.exe PID 2592 wrote to memory of 2656 2592 cmd.exe svchost_ms.exe PID 2592 wrote to memory of 2656 2592 cmd.exe svchost_ms.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6902bbf6691e2ce016859066f9959a7f_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /S /C choice /C Y /N /D Y /T 3 & "C:\Program Files (x86)\SmartData\svchost_ms.exe" /start2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Program Files (x86)\SmartData\svchost_ms.exe"C:\Program Files (x86)\SmartData\svchost_ms.exe" /start3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\SmartData\svchost_ms.exe"C:\Program Files (x86)\SmartData\svchost_ms.exe" /srv1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Program Files (x86)\SmartData\svchost_ms.exeFilesize
2.1MB
MD56902bbf6691e2ce016859066f9959a7f
SHA12aaa79cb56458eb8d6db867fdb34fe8535b995db
SHA2560fb87ea5c45560676f963358531e27d8f368c7a7f4de66d24b93964c6a46c179
SHA51206ae9b01f79ecb7cba3dc88a5b465fa123ff967c75721832308523fcd8aa3eeae8db090cff31493c27c2f6c60a53b5777d4dda251d24f5f2464f103d30da0960