Analysis Overview
SHA256
2bc60af7c224a7f1632c53871a9fe04f8ad7d27f489d5e4bd81723247bba37a4
Threat Level: Likely malicious
The file 0185293f7466077ff4e670cf49bc36a9_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Sets service image path in registry
Checks whether UAC is enabled
Adds Run key to start application
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Program crash
Modifies registry class
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 09:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 09:57
Reported
2024-06-22 10:00
Platform
win7-20240221-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Amti\ImagePath = "C:\\Windows\\Amti\\svchost.exe" | C:\Windows\Amti\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows rundll32 updater = "Rundll32.exe C:\\Windows\\Amti\\Amti.dll B" | C:\Windows\Amti\svchost.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\Amti\svchost.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA} | C:\Windows\Amti\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javacpl.exe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\ImagingDevices.exe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\jfxrt.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaws.exe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe | C:\Windows\Amti\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe | C:\Windows\Amti\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Amti\Amti.dll | C:\Windows\Amti\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Windows\Amti\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\Amti\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA} | C:\Windows\Amti\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA}\InProcServer32\ = "C:\\Windows\\Amti\\Amti.dll" | C:\Windows\Amti\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\Amti\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA}\InProcServer32 | C:\Windows\Amti\svchost.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0185293f7466077ff4e670cf49bc36a9_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0185293f7466077ff4e670cf49bc36a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0185293f7466077ff4e670cf49bc36a9_JaffaCakes118.exe"
C:\Windows\Amti\svchost.exe
C:\Windows\Amti\svchost.exe
Network
Files
memory/2868-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2280-3-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 09:57
Reported
2024-06-22 10:00
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0185293f7466077ff4e670cf49bc36a9_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0185293f7466077ff4e670cf49bc36a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0185293f7466077ff4e670cf49bc36a9_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1556 -ip 1556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 248
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/1556-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1556-1-0x0000000000400000-0x0000000000409000-memory.dmp