Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 04:17
Static task
static1
Behavioral task
behavioral1
Sample
10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe
-
Size
148KB
-
MD5
10b145cfb95a3ba1a16460cbae99e607
-
SHA1
fe5bdb1ca76fb0a29b72a15856f356ddbe5fff9f
-
SHA256
280b9d8bb4ec80336b10766fff7ab363fcde1524963910a45d95d8ec46183ede
-
SHA512
12309ee46b8fc8877779da60d721cda25d7e8bafa80cccb5e9a8d489acaa60b407395ea7be84750997106ed8572859ccb632f529ec64ca8a266a3936a80d9f21
-
SSDEEP
3072:ZwH1uIIPhvpE6cXjA8iVUAWGaqqqBSpXuWMfujoMITjWR:O/EFpkXsDePGaqqqBmMfujPB
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\hdoljjpc\\pjgxtjyp.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pjgxtjyp.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pjgxtjyp.exe svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 2164 hoevvlbyvucsqxbu.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend svchost.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc svchost.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power svchost.exe -
Loads dropped DLL 6 IoCs
pid Process 1960 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe 1960 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\PjgXtjyp = "C:\\Users\\Admin\\AppData\\Local\\hdoljjpc\\pjgxtjyp.exe" svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe 2812 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe Token: SeDebugPrivilege 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe Token: SeSecurityPrivilege 2980 svchost.exe Token: SeSecurityPrivilege 2812 svchost.exe Token: SeDebugPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeSecurityPrivilege 2164 hoevvlbyvucsqxbu.exe Token: SeLoadDriverPrivilege 2164 hoevvlbyvucsqxbu.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2216 1960 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe 28 PID 1960 wrote to memory of 2216 1960 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe 28 PID 1960 wrote to memory of 2216 1960 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe 28 PID 1960 wrote to memory of 2216 1960 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe 28 PID 2216 wrote to memory of 2980 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 29 PID 2216 wrote to memory of 2980 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 29 PID 2216 wrote to memory of 2980 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 29 PID 2216 wrote to memory of 2980 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 29 PID 2216 wrote to memory of 2980 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 29 PID 2216 wrote to memory of 2980 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 29 PID 2216 wrote to memory of 2980 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 29 PID 2216 wrote to memory of 2980 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 29 PID 2216 wrote to memory of 2980 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 29 PID 2216 wrote to memory of 2980 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 29 PID 2216 wrote to memory of 2812 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 30 PID 2216 wrote to memory of 2812 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 30 PID 2216 wrote to memory of 2812 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 30 PID 2216 wrote to memory of 2812 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 30 PID 2216 wrote to memory of 2812 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 30 PID 2216 wrote to memory of 2812 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 30 PID 2216 wrote to memory of 2812 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 30 PID 2216 wrote to memory of 2812 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 30 PID 2216 wrote to memory of 2812 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 30 PID 2216 wrote to memory of 2812 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 30 PID 2216 wrote to memory of 2164 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 31 PID 2216 wrote to memory of 2164 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 31 PID 2216 wrote to memory of 2164 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 31 PID 2216 wrote to memory of 2164 2216 10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\10b145cfb95a3ba1a16460cbae99e607_JaffaCakes118mgr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\hoevvlbyvucsqxbu.exe"C:\Users\Admin\AppData\Local\Temp\hoevvlbyvucsqxbu.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766B
MD5a48a1f91793fc0a25cbe407a0d61a38a
SHA127f2a8f391b79e579d96f74186a0bc786dace7c7
SHA2562fe43948764da6556d01929f08620ba06f38f858f2cd9bb53cb289c6c9c04be8
SHA5125f55e6408515e5c1d767c0f07154bf6be0f855f29b3d1ef7c633ec1fa0d0855fdb5bffa9e0150d505814ff3f4218859e94122d1432c52cd2ef6d1140240cce3e
-
Filesize
111KB
MD510d2e087710c80d11a2e482cd3a13731
SHA15623e43b4ac7c528449e67bc11cedabe369df54c
SHA256607b206b4baecc7a0be6c0518b8733fb5c4364b7098a262a03befbbfd0d30335
SHA51268b991baad83dc781e8a5ba69d0edfad7e90122618b5c1f178a01a0481a8f43e200cbd7f5702449ec758361ac8f1a1596e7400bd9561a86cbeff31a876a2f65a