Analysis Overview
SHA256
4778db65938e7531e308dd893851c71db03dcca57858d14156d4ceaa2c11b39e
Threat Level: Shows suspicious behavior
The file 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Modifies WinLogon
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 14:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 14:24
Reported
2024-06-20 14:27
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\fsmgmt.dll | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3068 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | C:\Windows\Explorer.EXE |
| PID 3068 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3068 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3068 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3068 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\DeleteMe.bat
Network
Files
memory/3068-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3068-1-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/3068-2-0x0000000000250000-0x0000000000252000-memory.dmp
memory/3068-10-0x0000000000430000-0x0000000000431000-memory.dmp
memory/3068-9-0x0000000000440000-0x0000000000441000-memory.dmp
memory/3068-8-0x0000000000450000-0x0000000000451000-memory.dmp
memory/3068-7-0x0000000000230000-0x0000000000231000-memory.dmp
memory/3068-6-0x0000000000220000-0x0000000000221000-memory.dmp
memory/3068-5-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/3068-4-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1196-11-0x0000000002530000-0x0000000002531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DeleteMe.bat
| MD5 | f51f5958745b17fdbd1c8868aa693a5e |
| SHA1 | 08dbb2be1ebfa9811901440fdec933789c33294c |
| SHA256 | 225b48155d382d72fefcf065a13d951c4a9b09e909ee27c7b02a1cca97c15fe3 |
| SHA512 | ab2de50155f20b75cb55c327ec27ce0ed37bb10823830c686c90f6279136bc284b6100012c440812b7f79a2b9e467d223b883e2d08e767cdecc17daa0e6b9c5e |
memory/3068-20-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/3068-19-0x0000000000400000-0x000000000042F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 14:24
Reported
2024-06-20 14:27
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
159s
Command Line
Signatures
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\fsmgmt.dll | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2132 wrote to memory of 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | C:\Windows\Explorer.EXE |
| PID 2132 wrote to memory of 820 | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2132 wrote to memory of 820 | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2132 wrote to memory of 820 | N/A | C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DeleteMe.bat
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/2132-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2132-1-0x0000000000700000-0x0000000000730000-memory.dmp
memory/2132-2-0x0000000000730000-0x0000000000732000-memory.dmp
memory/2132-3-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/2132-5-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/2132-4-0x0000000000A40000-0x0000000000A41000-memory.dmp
memory/2132-6-0x00000000005D0000-0x00000000005D1000-memory.dmp
memory/2132-9-0x0000000000A50000-0x0000000000A51000-memory.dmp
memory/2132-8-0x0000000000A60000-0x0000000000A61000-memory.dmp
memory/2132-7-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/2132-13-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2132-14-0x0000000000700000-0x0000000000730000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DeleteMe.bat
| MD5 | f51f5958745b17fdbd1c8868aa693a5e |
| SHA1 | 08dbb2be1ebfa9811901440fdec933789c33294c |
| SHA256 | 225b48155d382d72fefcf065a13d951c4a9b09e909ee27c7b02a1cca97c15fe3 |
| SHA512 | ab2de50155f20b75cb55c327ec27ce0ed37bb10823830c686c90f6279136bc284b6100012c440812b7f79a2b9e467d223b883e2d08e767cdecc17daa0e6b9c5e |