Analysis
-
max time kernel
143s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe
-
Size
518KB
-
MD5
06d798549154c28be78ce9f4074585c9
-
SHA1
fdf04f3277ce3c3eced17d679948e7df7a4f756a
-
SHA256
ad9b48bb70a715e82d4a7c133101400c38c7efac78ae82738cbcaba81f6c58a9
-
SHA512
3ff86ec631987b912ee7cf6d7d3f2116553d61da2e752e5501ebeb515fa318ef776a68a47be9ac65f793332d2151a165871aa67440dec72198134e40e0c45bdb
-
SSDEEP
12288:+xFal5fCzEsRoCp95sRuk297Wv3Rr8d/Xagc67Zt9Usu3ZXcjuTq:+jaHgEpE9Iup76h8d/7c6JE3ZMjF
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1712 COMSER~1.EXE 2476 wowmap.exe -
Loads dropped DLL 2 IoCs
pid Process 2840 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe 2840 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 COMSER~1.EXE File opened for modification \??\PhysicalDrive0 wowmap.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\2LIOS0X4.txt wowmap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\2LIOS0X4.txt wowmap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat wowmap.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\GUOCYOKl.BAT COMSER~1.EXE File created C:\Windows\wowmap.exe COMSER~1.EXE File opened for modification C:\Windows\wowmap.exe COMSER~1.EXE -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" wowmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad wowmap.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D}\WpadNetworkName = "Network 3" wowmap.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" wowmap.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings wowmap.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D}\1a-47-e2-10-05-74 wowmap.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-47-e2-10-05-74\WpadDecisionTime = f0f9b17d1ec3da01 wowmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wowmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wowmap.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wowmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wowmap.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D} wowmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D}\WpadDecisionReason = "1" wowmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D}\WpadDecision = "0" wowmap.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-47-e2-10-05-74 wowmap.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" wowmap.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wowmap.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wowmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings wowmap.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D}\WpadDecisionTime = f0f9b17d1ec3da01 wowmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-47-e2-10-05-74\WpadDecisionReason = "1" wowmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-47-e2-10-05-74\WpadDecision = "0" wowmap.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix wowmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wowmap.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1712 COMSER~1.EXE Token: SeDebugPrivilege 2476 wowmap.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2476 wowmap.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2840 wrote to memory of 1712 2840 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe 28 PID 2840 wrote to memory of 1712 2840 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe 28 PID 2840 wrote to memory of 1712 2840 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe 28 PID 2840 wrote to memory of 1712 2840 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe 28 PID 2476 wrote to memory of 812 2476 wowmap.exe 30 PID 2476 wrote to memory of 812 2476 wowmap.exe 30 PID 2476 wrote to memory of 812 2476 wowmap.exe 30 PID 2476 wrote to memory of 812 2476 wowmap.exe 30 PID 1712 wrote to memory of 1468 1712 COMSER~1.EXE 31 PID 1712 wrote to memory of 1468 1712 COMSER~1.EXE 31 PID 1712 wrote to memory of 1468 1712 COMSER~1.EXE 31 PID 1712 wrote to memory of 1468 1712 COMSER~1.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COMSER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COMSER~1.EXE2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\GUOCYOKl.BAT3⤵PID:1468
-
-
-
C:\Windows\wowmap.exeC:\Windows\wowmap.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164B
MD5f76abc9f135f91db5e13f4f0e6e9c4c9
SHA16a92d6d71946eb32f50f350b65313e495630d0ce
SHA25687d2a6832c8431fac2a0cb3661ad3bb85c078754480b7b4c5087dfa6e476b448
SHA512e2ec636ea8f48f9e7918260274cc528d530198f91b070cbf324bf1e84d11e56102388d071c5fbe7982cf1ef42b571476a06e2368dcdc8a50fcc3adf029b3e8a5
-
Filesize
493KB
MD55956b1c78eaec57f148472e7066cedfe
SHA1dbca650c8541ee49f1b5f3bd80047c75a0555ec3
SHA256b38b59422075efcb463f44551b4e404a64530db264f2c2de7e451da5e32eaec7
SHA51246b43493d8182f9c8411dc3c8209b1e03b90297dff41997313f84d7a4594ad099854cf0ba13743ef6225ebffaba3fca1c5d96ed1d3dc932a9d3143c9bc7eb69d