Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe
-
Size
3.0MB
-
MD5
8c7d811fbbf83e6dcb7a717a8b3cc973
-
SHA1
9e03796094a40893c397cfe55067235f49984af0
-
SHA256
20880bb6f71040cecbb2d9a79c3071f5fea80c50d35cbcf9f0e5783461adc893
-
SHA512
cbc7f005613349ef0a646051d9263982ad07a74405ae1a4b008327ebf1ecd93b93a30314ed31c7e0d786f9908633305f9032f75d6aba93d894f201a037601d16
-
SSDEEP
49152:20PbK4oFm2qZqN6Ck6kTxCTcHHjNIbLRVm54TUxTcHHjNIbL:209ZqUCFM5jeBVUIje
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2924 jkiaaaa.exe -
Loads dropped DLL 8 IoCs
pid Process 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Fonts.Lists jkiaaaa.exe File created C:\Windows\wulmrcma\conf.ini jkiaaaa.exe File opened for modification C:\Windows\wulmrcma 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe File created C:\Windows\wulmrcma\jkiaaaa.exe 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2628 2924 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 848 wrote to memory of 2924 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 28 PID 848 wrote to memory of 2924 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 28 PID 848 wrote to memory of 2924 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 28 PID 848 wrote to memory of 2924 848 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 28 PID 2924 wrote to memory of 2628 2924 jkiaaaa.exe 29 PID 2924 wrote to memory of 2628 2924 jkiaaaa.exe 29 PID 2924 wrote to memory of 2628 2924 jkiaaaa.exe 29 PID 2924 wrote to memory of 2628 2924 jkiaaaa.exe 29 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:848 -
C:\Windows\wulmrcma\jkiaaaa.exeC:\Windows\wulmrcma\jkiaaaa.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 5683⤵
- Loads dropped DLL
- Program crash
PID:2628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d2daea27ed35c95855500b083fbb9401
SHA16b46107eca4365f90a3f2e86fbe89fc92dd8e575
SHA256b455afa508f6e005c3111dfd599348e1b64d7a2215e3970eb888dfd740640696
SHA512663c79911de565f8a3eae1ff7a340a1c564d8b2bd6e89df47a5c6d7dc2b707077a1c21304338ac908c7dfb21d90e09764141fd927d985329f059cbe9665515c6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\3310a4fa6cb9c60504498d7eea986fc2_4456596e-0528-4680-8940-5edc26c0ff50
Filesize50B
MD545218adff3ea5bde8a8f61987f0f458b
SHA1cf7fffa410795cc2f7703755f0acd17b51a44ad7
SHA256f95361b82464704675f559b13c007c9567e5914984042f537122383e747194d4
SHA5128442cac48931075ec5bd31ea82faffc4f64d7b6845d5c477d06fc3d7eefeac1fa366b6880a85709a520a343b5dd3771e69bc4b7482cde50e69e04215927a2018
-
Filesize
1.2MB
MD55243fa11db5e0f7ab6bdbc4243fedd2a
SHA122709d5eb3b82412220d94fcbc2086230b578edc
SHA2564b59b435e6be9d2c8d15237f285e5d163b5a8aae0fd07378fa85f38237c23d8b
SHA51223cb4e45d5293c407dfc4f3b0a9b2874608d7efe076606ab06194114f6571902b4336ce07f80ac98f0d12221fdb2261fd35b35bbc02fe614fc20c3544e853ebd