Analysis Overview
SHA256
6a12985870ef12f2468d40d260e5b7da5e84f51368a8b55aad79022fcd4f4217
Threat Level: Known bad
The file 9949c5620de261099f10a01f9e8039ad_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Sets service image path in registry
Drops file in Drivers directory
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Adds Run key to start application
Installs/modifies Browser Helper Object
Enumerates connected drives
Modifies WinLogon
Drops file in System32 directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-05 21:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 21:23
Reported
2024-06-05 21:27
Platform
win7-20240508-en
Max time kernel
143s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fewfwe.com | udp |
| US | 52.86.6.113:80 | fewfwe.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | fewfwe.net | udp |
Files
memory/2416-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2600-1-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2416-2-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2388-3-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2660-4-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\cftmon.exe
| MD5 | 2e3f437012c87ad744981100b4bb3cdd |
| SHA1 | 87e0e76828b0d8d47f9c9c692500077f6dcc7af6 |
| SHA256 | d155bbcaf7f7ac29e064523dc6fa48db0e282f879830cd429ac5d4c552c3035e |
| SHA512 | 5c4c1ead0831967bdee3a782d900d6c9450aa753155e957432c2e14b29f84f49019f3926bda01771eed8e5f200a4f975c4abd52d29e24e291b5b9861eccd7429 |
\Windows\SysWOW64\ftpdll.dll
| MD5 | d807aa04480d1d149f7a4cac22984188 |
| SHA1 | ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9 |
| SHA256 | eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb |
| SHA512 | 875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e |
memory/2416-30-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2416-34-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2416-36-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2600-37-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2416-38-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2388-39-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2660-40-0x0000000000400000-0x0000000000423000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 21:23
Reported
2024-06-05 21:27
Platform
win10v2004-20240508-en
Max time kernel
135s
Max time network
127s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\9949c5620de261099f10a01f9e8039ad_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fewfwe.com | udp |
| US | 52.71.57.184:80 | fewfwe.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.57.71.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 172.67.70.191:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | fewfwe.net | udp |
| US | 8.8.8.8:53 | 191.70.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4508-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4876-1-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\cftmon.exe
| MD5 | f9aef8f1bc5255f8b70a15d9fa552b9e |
| SHA1 | b9a89cc322f318e3404ba1cc2619bb24a9214490 |
| SHA256 | d91be5343528a5ebe2f5e3bdfd68474ca7dd5cbbe270faf22aac795b9d2c7d25 |
| SHA512 | ae0ae0790babd8013051dd01b64edd8e876b6104f0470d8b961a4962ea8e94fac2bdd7e654324bf780c1d921c22d5ad1c3ef13d1cf315b415847515af6ba969c |
memory/3988-14-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Windows\SysWOW64\ftpdll.dll
| MD5 | d807aa04480d1d149f7a4cac22984188 |
| SHA1 | ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9 |
| SHA256 | eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb |
| SHA512 | 875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e |
memory/4508-20-0x0000000010000000-0x000000001010B000-memory.dmp
memory/4508-22-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4876-24-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3988-25-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2752-26-0x0000000000400000-0x0000000000423000-memory.dmp