Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 23:53
Static task
static1
Behavioral task
behavioral1
Sample
7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
-
Size
425KB
-
MD5
7034f17b2033bfd5ef9b0f81ce598da3
-
SHA1
959817c12dba46ce4e4595bf4f2374aadf52e8ef
-
SHA256
33175665dc003a737e982c767890412e57ea2ae96f25fd8535637f5894ff2074
-
SHA512
1390d2b6e58644238efb174f7b2726a5152e5b183dbbe4c02b0cacf796309df24c5e9bc4a4f26f1c525ae863f353020dcd6a63fa84afa6448072df87199a07c4
-
SSDEEP
6144:PqhlBy1+NR0frxdc6Dps/ep5NKWNzYXPAA5+VUbvpQhcHGBeBZq6wbTHK+5URA:PAlBpNR0fHcoNKWN7AQKG8BCbTHD9
Malware Config
Signatures
-
Contacts a large (13274) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 328 bcdedit.exe 2168 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exeupnpcont.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\"" 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\"" upnpcont.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1628 cmd.exe -
Drops startup file 1 IoCs
Processes:
7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\upnpcont.lnk 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
upnpcont.exepid process 2948 upnpcont.exe -
Loads dropped DLL 2 IoCs
Processes:
7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exeupnpcont.exepid process 2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe 2948 upnpcont.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exeupnpcont.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\upnpcont = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\"" 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upnpcont = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\"" 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\upnpcont = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\"" upnpcont.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upnpcont = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\"" upnpcont.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2052 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2592 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exeupnpcont.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\"" 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop upnpcont.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\"" upnpcont.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exetaskkill.exeupnpcont.exevssvc.exewmic.exedescription pid process Token: SeDebugPrivilege 2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe Token: SeDebugPrivilege 2592 taskkill.exe Token: SeDebugPrivilege 2948 upnpcont.exe Token: SeBackupPrivilege 1716 vssvc.exe Token: SeRestorePrivilege 1716 vssvc.exe Token: SeAuditPrivilege 1716 vssvc.exe Token: SeIncreaseQuotaPrivilege 1708 wmic.exe Token: SeSecurityPrivilege 1708 wmic.exe Token: SeTakeOwnershipPrivilege 1708 wmic.exe Token: SeLoadDriverPrivilege 1708 wmic.exe Token: SeSystemProfilePrivilege 1708 wmic.exe Token: SeSystemtimePrivilege 1708 wmic.exe Token: SeProfSingleProcessPrivilege 1708 wmic.exe Token: SeIncBasePriorityPrivilege 1708 wmic.exe Token: SeCreatePagefilePrivilege 1708 wmic.exe Token: SeBackupPrivilege 1708 wmic.exe Token: SeRestorePrivilege 1708 wmic.exe Token: SeShutdownPrivilege 1708 wmic.exe Token: SeDebugPrivilege 1708 wmic.exe Token: SeSystemEnvironmentPrivilege 1708 wmic.exe Token: SeRemoteShutdownPrivilege 1708 wmic.exe Token: SeUndockPrivilege 1708 wmic.exe Token: SeManageVolumePrivilege 1708 wmic.exe Token: 33 1708 wmic.exe Token: 34 1708 wmic.exe Token: 35 1708 wmic.exe Token: SeIncreaseQuotaPrivilege 1708 wmic.exe Token: SeSecurityPrivilege 1708 wmic.exe Token: SeTakeOwnershipPrivilege 1708 wmic.exe Token: SeLoadDriverPrivilege 1708 wmic.exe Token: SeSystemProfilePrivilege 1708 wmic.exe Token: SeSystemtimePrivilege 1708 wmic.exe Token: SeProfSingleProcessPrivilege 1708 wmic.exe Token: SeIncBasePriorityPrivilege 1708 wmic.exe Token: SeCreatePagefilePrivilege 1708 wmic.exe Token: SeBackupPrivilege 1708 wmic.exe Token: SeRestorePrivilege 1708 wmic.exe Token: SeShutdownPrivilege 1708 wmic.exe Token: SeDebugPrivilege 1708 wmic.exe Token: SeSystemEnvironmentPrivilege 1708 wmic.exe Token: SeRemoteShutdownPrivilege 1708 wmic.exe Token: SeUndockPrivilege 1708 wmic.exe Token: SeManageVolumePrivilege 1708 wmic.exe Token: 33 1708 wmic.exe Token: 34 1708 wmic.exe Token: 35 1708 wmic.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.execmd.exeupnpcont.exedescription pid process target process PID 2944 wrote to memory of 2948 2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe upnpcont.exe PID 2944 wrote to memory of 2948 2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe upnpcont.exe PID 2944 wrote to memory of 2948 2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe upnpcont.exe PID 2944 wrote to memory of 2948 2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe upnpcont.exe PID 2944 wrote to memory of 1628 2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe cmd.exe PID 2944 wrote to memory of 1628 2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe cmd.exe PID 2944 wrote to memory of 1628 2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe cmd.exe PID 2944 wrote to memory of 1628 2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe cmd.exe PID 1628 wrote to memory of 2592 1628 cmd.exe taskkill.exe PID 1628 wrote to memory of 2592 1628 cmd.exe taskkill.exe PID 1628 wrote to memory of 2592 1628 cmd.exe taskkill.exe PID 1628 wrote to memory of 2592 1628 cmd.exe taskkill.exe PID 1628 wrote to memory of 1648 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1648 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1648 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1648 1628 cmd.exe PING.EXE PID 2948 wrote to memory of 2052 2948 upnpcont.exe vssadmin.exe PID 2948 wrote to memory of 2052 2948 upnpcont.exe vssadmin.exe PID 2948 wrote to memory of 2052 2948 upnpcont.exe vssadmin.exe PID 2948 wrote to memory of 2052 2948 upnpcont.exe vssadmin.exe PID 2948 wrote to memory of 1708 2948 upnpcont.exe wmic.exe PID 2948 wrote to memory of 1708 2948 upnpcont.exe wmic.exe PID 2948 wrote to memory of 1708 2948 upnpcont.exe wmic.exe PID 2948 wrote to memory of 1708 2948 upnpcont.exe wmic.exe PID 2948 wrote to memory of 328 2948 upnpcont.exe bcdedit.exe PID 2948 wrote to memory of 328 2948 upnpcont.exe bcdedit.exe PID 2948 wrote to memory of 328 2948 upnpcont.exe bcdedit.exe PID 2948 wrote to memory of 328 2948 upnpcont.exe bcdedit.exe PID 2948 wrote to memory of 2168 2948 upnpcont.exe bcdedit.exe PID 2948 wrote to memory of 2168 2948 upnpcont.exe bcdedit.exe PID 2948 wrote to memory of 2168 2948 upnpcont.exe bcdedit.exe PID 2948 wrote to memory of 2168 2948 upnpcont.exe bcdedit.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\upnpcont.exe"C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\upnpcont.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2052 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:328 -
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2168 -
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:1648
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\upnpcont.lnkFilesize
1KB
MD5d3dce7b417b4d1743c5245889711ffaa
SHA1708343bd6c0b9d0765bbb855fe05cadac2610e61
SHA2564898639d315b01c67d8cf02f6827df799892e530d259da92b60aaf0983aab5b6
SHA512fcee40beca3ee63fb669ca2b11b8dd53870b0bc074295eb04494815f084162bf297eab193ed44e3981d09988328b919b04237db32cf9d82138690635de08c768
-
\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\upnpcont.exeFilesize
425KB
MD57034f17b2033bfd5ef9b0f81ce598da3
SHA1959817c12dba46ce4e4595bf4f2374aadf52e8ef
SHA25633175665dc003a737e982c767890412e57ea2ae96f25fd8535637f5894ff2074
SHA5121390d2b6e58644238efb174f7b2726a5152e5b183dbbe4c02b0cacf796309df24c5e9bc4a4f26f1c525ae863f353020dcd6a63fa84afa6448072df87199a07c4
-
memory/2944-0-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2944-10-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2948-11-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2948-18-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB