Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe
-
Size
732KB
-
MD5
1446d50ecf1384818a85d24238464f1d
-
SHA1
d4dcd8a9b0b87e8593db081f2656c0a4daf9eab9
-
SHA256
c506bdc545ffd804df9b91ce4d1320945c07d3b13e5a8c45abe7aee9b06d0428
-
SHA512
243a59db8eec7bfa0628e40bf3912f1a5fe99e928dcb74f9df3b02727237d8e9f1fd43f1e97c41d295adb4668900c868e294d279d92ad2bb9725df5044323be0
-
SSDEEP
12288:7FwXAw6/n1ouMfjNgoqrYYcSSG9oPTMGX+AIsLtQiinxbt2rg5xkaPRHw/okTcZh:7ia/n1ou+jGv0YcSSG9oP4GX+AIsLtQh
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
run.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" run.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
winupdate.exerun.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate run.exe -
Executes dropped EXE 2 IoCs
Processes:
run.exewinupdate.exepid process 2052 run.exe 2696 winupdate.exe -
Loads dropped DLL 6 IoCs
Processes:
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exerun.exewinupdate.exepid process 1708 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe 1708 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe 2052 run.exe 2696 winupdate.exe 2696 winupdate.exe 2696 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
run.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" run.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winupdate.exerun.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 run.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString run.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier run.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier run.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
run.exewinupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier run.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
run.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 2052 run.exe Token: SeSecurityPrivilege 2052 run.exe Token: SeTakeOwnershipPrivilege 2052 run.exe Token: SeLoadDriverPrivilege 2052 run.exe Token: SeSystemProfilePrivilege 2052 run.exe Token: SeSystemtimePrivilege 2052 run.exe Token: SeProfSingleProcessPrivilege 2052 run.exe Token: SeIncBasePriorityPrivilege 2052 run.exe Token: SeCreatePagefilePrivilege 2052 run.exe Token: SeBackupPrivilege 2052 run.exe Token: SeRestorePrivilege 2052 run.exe Token: SeShutdownPrivilege 2052 run.exe Token: SeDebugPrivilege 2052 run.exe Token: SeSystemEnvironmentPrivilege 2052 run.exe Token: SeChangeNotifyPrivilege 2052 run.exe Token: SeRemoteShutdownPrivilege 2052 run.exe Token: SeUndockPrivilege 2052 run.exe Token: SeManageVolumePrivilege 2052 run.exe Token: SeImpersonatePrivilege 2052 run.exe Token: SeCreateGlobalPrivilege 2052 run.exe Token: 33 2052 run.exe Token: 34 2052 run.exe Token: 35 2052 run.exe Token: SeIncreaseQuotaPrivilege 2696 winupdate.exe Token: SeSecurityPrivilege 2696 winupdate.exe Token: SeTakeOwnershipPrivilege 2696 winupdate.exe Token: SeLoadDriverPrivilege 2696 winupdate.exe Token: SeSystemProfilePrivilege 2696 winupdate.exe Token: SeSystemtimePrivilege 2696 winupdate.exe Token: SeProfSingleProcessPrivilege 2696 winupdate.exe Token: SeIncBasePriorityPrivilege 2696 winupdate.exe Token: SeCreatePagefilePrivilege 2696 winupdate.exe Token: SeBackupPrivilege 2696 winupdate.exe Token: SeRestorePrivilege 2696 winupdate.exe Token: SeShutdownPrivilege 2696 winupdate.exe Token: SeDebugPrivilege 2696 winupdate.exe Token: SeSystemEnvironmentPrivilege 2696 winupdate.exe Token: SeChangeNotifyPrivilege 2696 winupdate.exe Token: SeRemoteShutdownPrivilege 2696 winupdate.exe Token: SeUndockPrivilege 2696 winupdate.exe Token: SeManageVolumePrivilege 2696 winupdate.exe Token: SeImpersonatePrivilege 2696 winupdate.exe Token: SeCreateGlobalPrivilege 2696 winupdate.exe Token: 33 2696 winupdate.exe Token: 34 2696 winupdate.exe Token: 35 2696 winupdate.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exerun.exedescription pid process target process PID 1708 wrote to memory of 2052 1708 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe run.exe PID 1708 wrote to memory of 2052 1708 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe run.exe PID 1708 wrote to memory of 2052 1708 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe run.exe PID 1708 wrote to memory of 2052 1708 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe run.exe PID 2052 wrote to memory of 2696 2052 run.exe winupdate.exe PID 2052 wrote to memory of 2696 2052 run.exe winupdate.exe PID 2052 wrote to memory of 2696 2052 run.exe winupdate.exe PID 2052 wrote to memory of 2696 2052 run.exe winupdate.exe PID 2052 wrote to memory of 2696 2052 run.exe winupdate.exe PID 2052 wrote to memory of 2696 2052 run.exe winupdate.exe PID 2052 wrote to memory of 2696 2052 run.exe winupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\run.exe"C:\Users\Admin\AppData\Local\Temp\run.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
714KB
MD51fa9af8c7e8272904027add5bc3cd908
SHA156bb82a0f60168c9dac19140de5ed7e46fc7ee27
SHA256817f18a2364ebc92f327098a12c63a7497645e770683b0f2e3779fb5362f1b46
SHA512c766fcbbbd5e8f432920f489a0817dbd95536c53773a83e3d0536dd54bd29697febdd6b6c9b32d14b15ad02a90f7f0b7aeb3566bb582b3d36f42e9c6f64917ab