Analysis Overview
SHA256
a4846aff20db1c1fcbca5dc8a182399bf1500983b18ac8562f28f99c22fb99a7
Threat Level: Known bad
The file 6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops file in Drivers directory
Sets service image path in registry
UPX packed file
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Adds Run key to start application
Enumerates connected drives
Modifies WinLogon
Installs/modifies Browser Helper Object
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-24 05:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 05:26
Reported
2024-05-24 05:28
Platform
win7-20240419-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fewfwe.com | udp |
| US | 3.130.204.160:80 | fewfwe.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | fewfwe.net | udp |
Files
memory/2456-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1580-1-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2456-2-0x00000000003D0000-0x00000000003F3000-memory.dmp
memory/3044-3-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\cftmon.exe
| MD5 | c764c5408195a5885478357b7d200faf |
| SHA1 | e9f96d13f884c96edd3b87cbccc48becf9757493 |
| SHA256 | 9fc68de414f43ec2fbc080dd086f271d5f00f30c6388d5f094a8b22dc247dc36 |
| SHA512 | aefd4a576db6859611cd6af791e631e2e848e2768bd4e533f3323cf80ee21f8bebd2cef8b446f97dfe675336a2def5187a1616e612f9e8509db601657270fa53 |
\Windows\SysWOW64\ftpdll.dll
| MD5 | d807aa04480d1d149f7a4cac22984188 |
| SHA1 | ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9 |
| SHA256 | eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb |
| SHA512 | 875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e |
memory/2456-29-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2456-34-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2456-35-0x00000000003D0000-0x00000000003F3000-memory.dmp
memory/1580-36-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3044-37-0x0000000000400000-0x0000000000423000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 05:26
Reported
2024-05-24 05:28
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\6d76eccef17c33d108fea2d3b0f1846b_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | fewfwe.com | udp |
| US | 3.140.13.188:80 | fewfwe.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.13.140.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.7.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fewfwe.net | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/3644-0-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 04e41928006333ccf592fb33d21e5401 |
| SHA1 | 2c99435b4821a2730168ae10e4d4bf6a321384e5 |
| SHA256 | 8e06ded82224c96762e36de8b839b343bad7e9a1b099d5144fb94dd9ba013b62 |
| SHA512 | b19e5b4ea27187af0996724b8196a000a05c51dea9a5a7c0ca731b4e0284f5ae5555ce2b8826240c05b30b10aac078547c27302b6c26f6253da60f4f6973feb2 |
memory/4428-13-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Windows\SysWOW64\ftpdll.dll
| MD5 | d807aa04480d1d149f7a4cac22984188 |
| SHA1 | ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9 |
| SHA256 | eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb |
| SHA512 | 875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e |
memory/3644-19-0x0000000010000000-0x000000001010B000-memory.dmp
memory/1348-20-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3644-21-0x0000000010000000-0x000000001010B000-memory.dmp
memory/3644-22-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4016-24-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4428-25-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1348-26-0x0000000000400000-0x0000000000423000-memory.dmp