Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 08:47
Behavioral task
behavioral1
Sample
1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe
-
Size
88KB
-
MD5
1168b89f120da9898cc71d3ab48bd768
-
SHA1
8963fdd65cbe1f786f0296b26f46f71897d12dc7
-
SHA256
986cd097aaa077dd2acf09937266c69a64fdf9e3b8d011ed7656b6f669a81112
-
SHA512
86ca04ea1726915231913534bc64650d32deaa729aec43f5a74509e1c1e438cda1ae124dd4088d1e4876e61386b94702e4512ec8ae7fa6615219596d1b8f3bed
-
SSDEEP
1536:dXNXdlRH+Dwk4cSGesvhC8plnQ85+HwClgfTQqPTFTCtOQ8Ccfic:ddtlRH+UxGzh3HQ85+QqoTBfic
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3108 svchosts.exe -
resource yara_rule behavioral2/memory/4836-0-0x0000000000400000-0x0000000000431000-memory.dmp vmprotect behavioral2/memory/4836-1-0x0000000000400000-0x0000000000431000-memory.dmp vmprotect behavioral2/files/0x0008000000023237-7.dat vmprotect behavioral2/memory/3108-9-0x0000000000400000-0x0000000000431000-memory.dmp vmprotect behavioral2/memory/4836-60-0x0000000000400000-0x0000000000431000-memory.dmp vmprotect behavioral2/memory/3108-61-0x0000000000400000-0x0000000000431000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\windows\svchosts.exe 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe File opened for modification C:\windows\svchosts.exe 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000db20d4d61f9b3d4b8223119d16ffd968000000000200000000001066000000010000200000006f12c6ba5ef9223a660130f5c962b8b1f6249ac3fe2a768ddc0bc98ead113b2f000000000e80000000020000200000005a28074b40a70b5026cbb40139dc243f971826bc384139fa64ebfa500caf028320000000e3b58e52e20869dd2a4483382a3e1be9e31ddbf3eae616c32766257b8448ef2940000000a880dc7e64922ab70f4c6c964b895ba8514e915051f1258603c0c79aab9f8816d56339d0636ec6296e0ef4e05fbac2073aba43bd35bfa2f50f482074f9d07f55 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2622150702" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C7085864-3398-11EF-B9F7-C69DB2B6DED0} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115173" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115173" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d253b2a5c7da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2622150702" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115173" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2715901315" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426156663" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000db20d4d61f9b3d4b8223119d16ffd96800000000020000000000106600000001000020000000a22979635968d073ca1641d89694946e80944759a58b33f0d4044908be2aa8b6000000000e8000000002000020000000c51c74aaada9c8b2e6e387c223db3ed6a31c82c580d92c581df757e57935993e200000003595f91df69d29e0147f0200d68cd4745e867a2e795dc6626e326b4f58957ec94000000059244d7bfb8762b51fc2f417830630842fbf4d5c25e680ec5d50eafc057872917f632061de7f233bd3f681c7c6ea3ec97cf08dd4ede85c7e585dae1305d62358 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9016d0b7a5c7da01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4836 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe 4836 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4688 iexplore.exe 3108 svchosts.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4836 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe 3108 svchosts.exe 4688 iexplore.exe 4688 iexplore.exe 1072 IEXPLORE.EXE 1072 IEXPLORE.EXE 1072 IEXPLORE.EXE 1072 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4836 wrote to memory of 3108 4836 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe 90 PID 4836 wrote to memory of 3108 4836 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe 90 PID 4836 wrote to memory of 3108 4836 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe 90 PID 4836 wrote to memory of 4688 4836 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe 91 PID 4836 wrote to memory of 4688 4836 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe 91 PID 4688 wrote to memory of 1072 4688 iexplore.exe 92 PID 4688 wrote to memory of 1072 4688 iexplore.exe 92 PID 4688 wrote to memory of 1072 4688 iexplore.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\windows\svchosts.exeC:\windows\svchosts.exe auto2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3108
-
-
C:\progra~1\Intern~1\iexplore.exeC:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe1.com/AddSetup.asp?id=137&localID=QM00013&isqq=32⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4688 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1072
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:4600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD55f0847e5a15af2d7923393c3cd30c5d1
SHA1326c44f2bc29ec6578a400d6d46361efcb013540
SHA25628766e681bf500e9cddbcd3275cd898c4165354ad087c2461d9ee374a7e2221e
SHA512a83751183cd1f2ac063a0077f8edfaecda72a4649437070c83f88151c822ff42d43fb8a291c123af2598e10d15cbdc147cef353b2149baca9462fb02e3d67a06
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5317177f158be9397fcf09d256b01d126
SHA1fefebef7a66ab8d6e9ae363f7133b476c9c6030c
SHA2563dc6496996f137a27d0b46256fedfb2305fde8fd507a1a1c1e7fc387b3941dbf
SHA512f7b4e2c6c7a24f36a0eb5ced3bb33603bfe833fb4492b391f0b895fe7b005201a618fc019aa330349179c3a5f84e934a6c1611554e5df97a2bcf52794b46efad
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
88KB
MD51168b89f120da9898cc71d3ab48bd768
SHA18963fdd65cbe1f786f0296b26f46f71897d12dc7
SHA256986cd097aaa077dd2acf09937266c69a64fdf9e3b8d011ed7656b6f669a81112
SHA51286ca04ea1726915231913534bc64650d32deaa729aec43f5a74509e1c1e438cda1ae124dd4088d1e4876e61386b94702e4512ec8ae7fa6615219596d1b8f3bed