Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe
-
Size
929KB
-
MD5
131af0e4c40f5e7dfca711a45816fa37
-
SHA1
5c72ad82cd2da3807290c2d384546740097dd8c9
-
SHA256
f4d30cb13736e18e207fe01046a535f4152c3c9d0581214fd9caf8dc7f19e0ea
-
SHA512
dcb2d216965ec03d4cd691327f65a7f1ceede9253c0a16ab8c5d3aca66a6809c65637b264329ae76bae55927d5e6ced5a6f10297110cf5ac9e9af1e29d1bec19
-
SSDEEP
24576:iY7WkuuKVuKBWXmKyT6duKvvbyyUHb8V0Zpu9Aooo0:57WvuKV9BWbymveHAsC
Malware Config
Signatures
-
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 1 IoCs
Processes:
winlogon.exepid process 2208 winlogon.exe -
Loads dropped DLL 1 IoCs
Processes:
131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exepid process 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe -
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Logon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlogon.exe" 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exedescription pid process target process PID 2484 set thread context of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winlogon.exepid process 2208 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exewinlogon.exedescription pid process Token: SeDebugPrivilege 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2208 winlogon.exe Token: SeSecurityPrivilege 2208 winlogon.exe Token: SeTakeOwnershipPrivilege 2208 winlogon.exe Token: SeLoadDriverPrivilege 2208 winlogon.exe Token: SeSystemProfilePrivilege 2208 winlogon.exe Token: SeSystemtimePrivilege 2208 winlogon.exe Token: SeProfSingleProcessPrivilege 2208 winlogon.exe Token: SeIncBasePriorityPrivilege 2208 winlogon.exe Token: SeCreatePagefilePrivilege 2208 winlogon.exe Token: SeBackupPrivilege 2208 winlogon.exe Token: SeRestorePrivilege 2208 winlogon.exe Token: SeShutdownPrivilege 2208 winlogon.exe Token: SeDebugPrivilege 2208 winlogon.exe Token: SeSystemEnvironmentPrivilege 2208 winlogon.exe Token: SeChangeNotifyPrivilege 2208 winlogon.exe Token: SeRemoteShutdownPrivilege 2208 winlogon.exe Token: SeUndockPrivilege 2208 winlogon.exe Token: SeManageVolumePrivilege 2208 winlogon.exe Token: SeImpersonatePrivilege 2208 winlogon.exe Token: SeCreateGlobalPrivilege 2208 winlogon.exe Token: 33 2208 winlogon.exe Token: 34 2208 winlogon.exe Token: 35 2208 winlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winlogon.exepid process 2208 winlogon.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exewinlogon.execmd.exedescription pid process target process PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2484 wrote to memory of 2208 2484 131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe winlogon.exe PID 2208 wrote to memory of 2824 2208 winlogon.exe cmd.exe PID 2208 wrote to memory of 2824 2208 winlogon.exe cmd.exe PID 2208 wrote to memory of 2824 2208 winlogon.exe cmd.exe PID 2208 wrote to memory of 2824 2208 winlogon.exe cmd.exe PID 2824 wrote to memory of 2868 2824 cmd.exe attrib.exe PID 2824 wrote to memory of 2868 2824 cmd.exe attrib.exe PID 2824 wrote to memory of 2868 2824 cmd.exe attrib.exe PID 2824 wrote to memory of 2868 2824 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\131af0e4c40f5e7dfca711a45816fa37_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\winlogon.exeC:\Users\Admin\AppData\Local\Temp\winlogon.exe2⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\winlogon.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD53821868491a01953e5f2f922ae9ff8b0
SHA12daf28fa5ce2c3b55c25c8fc4a1d5a03f9b85bce
SHA256d9c3e5032a4eaea21cebe6aeeca341459f8d256c7b39f4bcd34e27e12deaabb8
SHA51225c93ce1fc01a369306c769b861def036085aef807e0d0952830098d197b37e0d93a7d98c0df49aeff05b8493050df07d56307d643ff8421d7b31aa000e807e9
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2