Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 15:33
Static task
static1
Behavioral task
behavioral1
Sample
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
127d59e896105a4ca97bc280f568dcb0
-
SHA1
0a20354cb57ef1d58c4e7c51e24599a5fba172d0
-
SHA256
3483fc2b3d3897609a3c0374f863ebf6b1c7088ce6ecfa4b4d4db81b8d39edca
-
SHA512
110e78f265e09f0d49990a069ef3023c448c8acfebb127be8a1d2aa35176a1a3a31992a7a83ac34555e2e354fa42a5de232ff24e96ca0ce4cad350919f019ff2
-
SSDEEP
24576:SBY/jbLgH/8HM7wv11Coaz7iVW8MilGe05QiwJ0M5QFV:Nak5vzC1iM5icKi38Qj
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\Shell32.exe" 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
Shell32.exeShell32.exepid process 4232 Shell32.exe 5108 Shell32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell32 = "C:\\Users\\Admin\\Documents\\MSDCSC\\Shell32.exe" 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exeShell32.exedescription pid process target process PID 2352 set thread context of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 4232 set thread context of 5108 4232 Shell32.exe Shell32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exeShell32.exedescription pid process Token: SeIncreaseQuotaPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeSecurityPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeSystemtimePrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeBackupPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeRestorePrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeShutdownPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeDebugPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeUndockPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeManageVolumePrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeImpersonatePrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: 33 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: 34 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: 35 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: 36 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 5108 Shell32.exe Token: SeSecurityPrivilege 5108 Shell32.exe Token: SeTakeOwnershipPrivilege 5108 Shell32.exe Token: SeLoadDriverPrivilege 5108 Shell32.exe Token: SeSystemProfilePrivilege 5108 Shell32.exe Token: SeSystemtimePrivilege 5108 Shell32.exe Token: SeProfSingleProcessPrivilege 5108 Shell32.exe Token: SeIncBasePriorityPrivilege 5108 Shell32.exe Token: SeCreatePagefilePrivilege 5108 Shell32.exe Token: SeBackupPrivilege 5108 Shell32.exe Token: SeRestorePrivilege 5108 Shell32.exe Token: SeShutdownPrivilege 5108 Shell32.exe Token: SeDebugPrivilege 5108 Shell32.exe Token: SeSystemEnvironmentPrivilege 5108 Shell32.exe Token: SeChangeNotifyPrivilege 5108 Shell32.exe Token: SeRemoteShutdownPrivilege 5108 Shell32.exe Token: SeUndockPrivilege 5108 Shell32.exe Token: SeManageVolumePrivilege 5108 Shell32.exe Token: SeImpersonatePrivilege 5108 Shell32.exe Token: SeCreateGlobalPrivilege 5108 Shell32.exe Token: 33 5108 Shell32.exe Token: 34 5108 Shell32.exe Token: 35 5108 Shell32.exe Token: 36 5108 Shell32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Shell32.exepid process 5108 Shell32.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exeShell32.exedescription pid process target process PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2352 wrote to memory of 2512 2352 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe PID 2512 wrote to memory of 4232 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Shell32.exe PID 2512 wrote to memory of 4232 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Shell32.exe PID 2512 wrote to memory of 4232 2512 127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe PID 4232 wrote to memory of 5108 4232 Shell32.exe Shell32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\127d59e896105a4ca97bc280f568dcb0_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\Documents\MSDCSC\Shell32.exe"C:\Users\Admin\Documents\MSDCSC\Shell32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\Documents\MSDCSC\Shell32.exeC:\Users\Admin\Documents\MSDCSC\Shell32.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5127d59e896105a4ca97bc280f568dcb0
SHA10a20354cb57ef1d58c4e7c51e24599a5fba172d0
SHA2563483fc2b3d3897609a3c0374f863ebf6b1c7088ce6ecfa4b4d4db81b8d39edca
SHA512110e78f265e09f0d49990a069ef3023c448c8acfebb127be8a1d2aa35176a1a3a31992a7a83ac34555e2e354fa42a5de232ff24e96ca0ce4cad350919f019ff2