Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 09:13
Static task
static1
Behavioral task
behavioral1
Sample
0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe
-
Size
224KB
-
MD5
0d8007c628a5c009d3d2b6aa53e6cc0a
-
SHA1
3ad7496a74762cae06b394a32dc8832611b20df8
-
SHA256
d26dc3afdc474fc8170c92fabdab98bf97176635d36fc3a1c8a7f76e77f43b6a
-
SHA512
6711b4bceda2396f63cc97b26e4884341bca1625a627044ce65195f0d787d8697fb8f550008b5e6ef9771a149aa010d96116dc9cae44728823014f70ec49c596
-
SSDEEP
3072:1ma9v8Isvh3Tg93yDxkWD8bENk4Dy1lxeMV37q/LwmfYS:Up3Tg93yDxkWD8bERDy8MFq/Ldw
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Container = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32.exe" rundll32.exe -
Document created with cracked Office version 1 IoCs
Office document contains Grizli777 string known to be caused by using a cracked version of the software.
resource yara_rule behavioral2/files/0x0007000000023429-19.dat grizli777_cracked_office -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2712 reg.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2664 WINWORD.EXE 2664 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe Token: SeIncBasePriorityPrivilege 1620 rundll32.exe Token: 33 1620 rundll32.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 1620 rundll32.exe 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4060 wrote to memory of 1620 4060 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 81 PID 4060 wrote to memory of 1620 4060 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 81 PID 4060 wrote to memory of 1620 4060 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 81 PID 4060 wrote to memory of 2664 4060 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 82 PID 4060 wrote to memory of 2664 4060 0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe 82 PID 1620 wrote to memory of 3324 1620 rundll32.exe 84 PID 1620 wrote to memory of 3324 1620 rundll32.exe 84 PID 1620 wrote to memory of 3324 1620 rundll32.exe 84 PID 3324 wrote to memory of 2712 3324 cmd.exe 86 PID 3324 wrote to memory of 2712 3324 cmd.exe 86 PID 3324 wrote to memory of 2712 3324 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d8007c628a5c009d3d2b6aa53e6cc0a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\rundll32.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
PID:2712
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SENARAI CALON BN PRU 13.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD57866ebcba567d0384a4173c44bde6163
SHA1881da445f78b8ba92eddd7eb533dcb0027cd60f4
SHA256ca193036f99a12ed1d89bc434d5b194631f83bc9bd6d4eba92e6403862c800ed
SHA512c3fe4cbb393c72277855f8bbc657bbf6004b462a0ec9b2ca27c2a587055395b890b91a89a543ab33d058d864c636dc196b944ca1668515dd4f9bf2e9e8a4f9b5
-
Filesize
73KB
MD5716d1b5f9d25d9374208ace7bfda7494
SHA1e27e3c9551952c6b16664138ea6393682161bb51
SHA2562b9fd5444bf32bb57619496751620b6f03d044e6a7d6c1ec734be1dbcbb477e5
SHA5126016aac7c48d7d4a3b322ff77461b229fd6ec2915e4187a0f0259de0cb21446813dfe68d82a7216a21ac28de211e75ff1f0968d3869b0c454c78716cf7d74146