Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe
-
Size
3.0MB
-
MD5
8c7d811fbbf83e6dcb7a717a8b3cc973
-
SHA1
9e03796094a40893c397cfe55067235f49984af0
-
SHA256
20880bb6f71040cecbb2d9a79c3071f5fea80c50d35cbcf9f0e5783461adc893
-
SHA512
cbc7f005613349ef0a646051d9263982ad07a74405ae1a4b008327ebf1ecd93b93a30314ed31c7e0d786f9908633305f9032f75d6aba93d894f201a037601d16
-
SSDEEP
49152:20PbK4oFm2qZqN6Ck6kTxCTcHHjNIbLRVm54TUxTcHHjNIbL:209ZqUCFM5jeBVUIje
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" znsaaaa.exe -
Executes dropped EXE 2 IoCs
pid Process 3900 znsaaaa.exe 2604 userplus.exe -
Loads dropped DLL 4 IoCs
pid Process 2604 userplus.exe 2604 userplus.exe 3392 Process not Found 3392 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plus = "C:\\Windows\\mmodyaox\\znsaaaa.exe" znsaaaa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" znsaaaa.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 checkip.dyndns.org -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\NlsLexicons00ssx.dll znsaaaa.exe File created C:\Windows\system32\NlsLexicons00mmx.dll znsaaaa.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\mmodyaox 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe File opened for modification C:\Windows\Fonts.Lists znsaaaa.exe File created C:\Windows\mmodyaox\conf.ini znsaaaa.exe File opened for modification C:\Windows\system\system.log znsaaaa.exe File created C:\Windows\PLA\userplus.exe znsaaaa.exe File opened for modification C:\Windows\Media\shomll.log znsaaaa.exe File created C:\Windows\Media\shomll.log znsaaaa.exe File created C:\Windows\mmodyaox\znsaaaa.exe 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe File created C:\Windows\Setup\Extensionm.dll znsaaaa.exe File created C:\Windows\mmodyaox\Tempznsaaaa.exe userplus.exe File opened for modification C:\Windows\mmodyaox\Tempznsaaaa.exe userplus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ znsaaaa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz znsaaaa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1372 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 1372 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 3900 znsaaaa.exe 3900 znsaaaa.exe 3900 znsaaaa.exe 3900 znsaaaa.exe 3900 znsaaaa.exe 3900 znsaaaa.exe 3900 znsaaaa.exe 3900 znsaaaa.exe 3900 znsaaaa.exe 3900 znsaaaa.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 3900 znsaaaa.exe 2604 userplus.exe 3900 znsaaaa.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe 3900 znsaaaa.exe 2604 userplus.exe 3900 znsaaaa.exe 2604 userplus.exe 2604 userplus.exe 2604 userplus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3900 znsaaaa.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2604 userplus.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1372 wrote to memory of 3900 1372 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 81 PID 1372 wrote to memory of 3900 1372 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 81 PID 1372 wrote to memory of 3900 1372 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe 81 PID 3900 wrote to memory of 4440 3900 znsaaaa.exe 85 PID 3900 wrote to memory of 4440 3900 znsaaaa.exe 85 PID 3900 wrote to memory of 4440 3900 znsaaaa.exe 85 PID 4440 wrote to memory of 2604 4440 cmd.exe 87 PID 4440 wrote to memory of 2604 4440 cmd.exe 87 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" znsaaaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System znsaaaa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1372 -
C:\Windows\mmodyaox\znsaaaa.exeC:\Windows\mmodyaox\znsaaaa.exe2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userplus.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\PLA\userplus.exeC:\Windows\PLA\userplus.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d2daea27ed35c95855500b083fbb9401
SHA16b46107eca4365f90a3f2e86fbe89fc92dd8e575
SHA256b455afa508f6e005c3111dfd599348e1b64d7a2215e3970eb888dfd740640696
SHA512663c79911de565f8a3eae1ff7a340a1c564d8b2bd6e89df47a5c6d7dc2b707077a1c21304338ac908c7dfb21d90e09764141fd927d985329f059cbe9665515c6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-540404634-651139247-2967210625-1000\3310a4fa6cb9c60504498d7eea986fc2_41e50f4a-4a76-42e1-a3df-51306e426307
Filesize50B
MD545218adff3ea5bde8a8f61987f0f458b
SHA1cf7fffa410795cc2f7703755f0acd17b51a44ad7
SHA256f95361b82464704675f559b13c007c9567e5914984042f537122383e747194d4
SHA5128442cac48931075ec5bd31ea82faffc4f64d7b6845d5c477d06fc3d7eefeac1fa366b6880a85709a520a343b5dd3771e69bc4b7482cde50e69e04215927a2018
-
Filesize
215KB
MD5ba44267754b92c5afeb5ec2df0c5876f
SHA155b402f471cc6330cf92ca8ed15f40f5e6a5b0a5
SHA256a0b260886f386461d170f8c150038ccfa7a2a21543312c0acdce835f87474877
SHA512a4dff971570c05d5a54419b6186796fc15e1fc888a460a4d53c1b5c43e0bcf499f16fa30aa6e795b0ee1d6d521b5267e705087fb61ea59ffaf27e1e41adb003b
-
Filesize
4KB
MD59ca8e9158e2cd31e6756c86265ff89de
SHA1f0747b4b325833c743c5ed799d8a94ee7a043429
SHA256029afa1b15c77ae61a2ec68c66ffd439ca7d4687fa4c968a746c756d895532b6
SHA5126becdda182d7f4a2252b548220159eb5300904b5c6eef598b3e7c442808080d5e686fced68f83f1762a904b3227669f82b3196538ab569762ff5560e22e2801e
-
Filesize
1.2MB
MD55243fa11db5e0f7ab6bdbc4243fedd2a
SHA122709d5eb3b82412220d94fcbc2086230b578edc
SHA2564b59b435e6be9d2c8d15237f285e5d163b5a8aae0fd07378fa85f38237c23d8b
SHA51223cb4e45d5293c407dfc4f3b0a9b2874608d7efe076606ab06194114f6571902b4336ce07f80ac98f0d12221fdb2261fd35b35bbc02fe614fc20c3544e853ebd
-
Filesize
100KB
MD5ca43974f638606af7259397a344e0434
SHA102b7cf6e2a7fd77f619e27c7584180a950aa7fe8
SHA2564f394c128557a3f05c817aae8ddd005e2f462b298b858b1d49277fe574ce6752
SHA512ab986229c156f1404895983399c64513cc13be3083309b9b61413024922fbf3322e203184e19bb5090c78b813a28362d345a1cb229e61e67d91dd803512a4786
-
Filesize
67KB
MD5b1a562ae50903a943e6e0884a7c3aa28
SHA157fcd5de222c7f99bd82372056127841fbc80e6e
SHA2568402155eb3a3fb0fdc7ce7bbea87e8a59d81ae03e46d5d2ff041663d7051d3fc
SHA512a1b7bcce916e80c2cf83029471f665bb0dfe411341c1817a0a3b0bdc758f24a45676b2b000890578320cbb6c4457ed23535188cff2d7fddcacedebcd8a414dab