Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 15:33
Static task
static1
Behavioral task
behavioral1
Sample
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
127d59e896105a4ca97bc280f568dcb0
-
SHA1
0a20354cb57ef1d58c4e7c51e24599a5fba172d0
-
SHA256
3483fc2b3d3897609a3c0374f863ebf6b1c7088ce6ecfa4b4d4db81b8d39edca
-
SHA512
110e78f265e09f0d49990a069ef3023c448c8acfebb127be8a1d2aa35176a1a3a31992a7a83ac34555e2e354fa42a5de232ff24e96ca0ce4cad350919f019ff2
-
SSDEEP
24576:SBY/jbLgH/8HM7wv11Coaz7iVW8MilGe05QiwJ0M5QFV:Nak5vzC1iM5icKi38Qj
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\Shell32.exe" 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
Shell32.exeShell32.exepid process 2640 Shell32.exe 2700 Shell32.exe -
Loads dropped DLL 2 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exepid process 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shell32 = "C:\\Users\\Admin\\Documents\\MSDCSC\\Shell32.exe" 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exeShell32.exedescription pid process target process PID 2512 set thread context of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2640 set thread context of 2700 2640 Shell32.exe Shell32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exeShell32.exedescription pid process Token: SeIncreaseQuotaPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeSecurityPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeSystemtimePrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeBackupPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeRestorePrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeShutdownPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeDebugPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeUndockPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeManageVolumePrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeImpersonatePrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: 33 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: 34 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: 35 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2700 Shell32.exe Token: SeSecurityPrivilege 2700 Shell32.exe Token: SeTakeOwnershipPrivilege 2700 Shell32.exe Token: SeLoadDriverPrivilege 2700 Shell32.exe Token: SeSystemProfilePrivilege 2700 Shell32.exe Token: SeSystemtimePrivilege 2700 Shell32.exe Token: SeProfSingleProcessPrivilege 2700 Shell32.exe Token: SeIncBasePriorityPrivilege 2700 Shell32.exe Token: SeCreatePagefilePrivilege 2700 Shell32.exe Token: SeBackupPrivilege 2700 Shell32.exe Token: SeRestorePrivilege 2700 Shell32.exe Token: SeShutdownPrivilege 2700 Shell32.exe Token: SeDebugPrivilege 2700 Shell32.exe Token: SeSystemEnvironmentPrivilege 2700 Shell32.exe Token: SeChangeNotifyPrivilege 2700 Shell32.exe Token: SeRemoteShutdownPrivilege 2700 Shell32.exe Token: SeUndockPrivilege 2700 Shell32.exe Token: SeManageVolumePrivilege 2700 Shell32.exe Token: SeImpersonatePrivilege 2700 Shell32.exe Token: SeCreateGlobalPrivilege 2700 Shell32.exe Token: 33 2700 Shell32.exe Token: 34 2700 Shell32.exe Token: 35 2700 Shell32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Shell32.exepid process 2700 Shell32.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exeShell32.exedescription pid process target process PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 1668 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 1668 wrote to memory of 2640 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Shell32.exe PID 1668 wrote to memory of 2640 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Shell32.exe PID 1668 wrote to memory of 2640 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Shell32.exe PID 1668 wrote to memory of 2640 1668 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe PID 2640 wrote to memory of 2700 2640 Shell32.exe Shell32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\Documents\MSDCSC\Shell32.exe"C:\Users\Admin\Documents\MSDCSC\Shell32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\Documents\MSDCSC\Shell32.exeC:\Users\Admin\Documents\MSDCSC\Shell32.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5127d59e896105a4ca97bc280f568dcb0
SHA10a20354cb57ef1d58c4e7c51e24599a5fba172d0
SHA2563483fc2b3d3897609a3c0374f863ebf6b1c7088ce6ecfa4b4d4db81b8d39edca
SHA512110e78f265e09f0d49990a069ef3023c448c8acfebb127be8a1d2aa35176a1a3a31992a7a83ac34555e2e354fa42a5de232ff24e96ca0ce4cad350919f019ff2