Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe
-
Size
732KB
-
MD5
1446d50ecf1384818a85d24238464f1d
-
SHA1
d4dcd8a9b0b87e8593db081f2656c0a4daf9eab9
-
SHA256
c506bdc545ffd804df9b91ce4d1320945c07d3b13e5a8c45abe7aee9b06d0428
-
SHA512
243a59db8eec7bfa0628e40bf3912f1a5fe99e928dcb74f9df3b02727237d8e9f1fd43f1e97c41d295adb4668900c868e294d279d92ad2bb9725df5044323be0
-
SSDEEP
12288:7FwXAw6/n1ouMfjNgoqrYYcSSG9oPTMGX+AIsLtQiinxbt2rg5xkaPRHw/okTcZh:7ia/n1ou+jGv0YcSSG9oP4GX+AIsLtQh
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
run.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" run.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
run.exewinupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate run.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exerun.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation run.exe -
Executes dropped EXE 2 IoCs
Processes:
run.exewinupdate.exepid process 1164 run.exe 4048 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
run.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" run.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winupdate.exerun.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 run.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString run.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier run.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier run.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
run.exewinupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier run.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
Processes:
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
run.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 1164 run.exe Token: SeSecurityPrivilege 1164 run.exe Token: SeTakeOwnershipPrivilege 1164 run.exe Token: SeLoadDriverPrivilege 1164 run.exe Token: SeSystemProfilePrivilege 1164 run.exe Token: SeSystemtimePrivilege 1164 run.exe Token: SeProfSingleProcessPrivilege 1164 run.exe Token: SeIncBasePriorityPrivilege 1164 run.exe Token: SeCreatePagefilePrivilege 1164 run.exe Token: SeBackupPrivilege 1164 run.exe Token: SeRestorePrivilege 1164 run.exe Token: SeShutdownPrivilege 1164 run.exe Token: SeDebugPrivilege 1164 run.exe Token: SeSystemEnvironmentPrivilege 1164 run.exe Token: SeChangeNotifyPrivilege 1164 run.exe Token: SeRemoteShutdownPrivilege 1164 run.exe Token: SeUndockPrivilege 1164 run.exe Token: SeManageVolumePrivilege 1164 run.exe Token: SeImpersonatePrivilege 1164 run.exe Token: SeCreateGlobalPrivilege 1164 run.exe Token: 33 1164 run.exe Token: 34 1164 run.exe Token: 35 1164 run.exe Token: 36 1164 run.exe Token: SeIncreaseQuotaPrivilege 4048 winupdate.exe Token: SeSecurityPrivilege 4048 winupdate.exe Token: SeTakeOwnershipPrivilege 4048 winupdate.exe Token: SeLoadDriverPrivilege 4048 winupdate.exe Token: SeSystemProfilePrivilege 4048 winupdate.exe Token: SeSystemtimePrivilege 4048 winupdate.exe Token: SeProfSingleProcessPrivilege 4048 winupdate.exe Token: SeIncBasePriorityPrivilege 4048 winupdate.exe Token: SeCreatePagefilePrivilege 4048 winupdate.exe Token: SeBackupPrivilege 4048 winupdate.exe Token: SeRestorePrivilege 4048 winupdate.exe Token: SeShutdownPrivilege 4048 winupdate.exe Token: SeDebugPrivilege 4048 winupdate.exe Token: SeSystemEnvironmentPrivilege 4048 winupdate.exe Token: SeChangeNotifyPrivilege 4048 winupdate.exe Token: SeRemoteShutdownPrivilege 4048 winupdate.exe Token: SeUndockPrivilege 4048 winupdate.exe Token: SeManageVolumePrivilege 4048 winupdate.exe Token: SeImpersonatePrivilege 4048 winupdate.exe Token: SeCreateGlobalPrivilege 4048 winupdate.exe Token: 33 4048 winupdate.exe Token: 34 4048 winupdate.exe Token: 35 4048 winupdate.exe Token: 36 4048 winupdate.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exerun.exedescription pid process target process PID 1884 wrote to memory of 1164 1884 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe run.exe PID 1884 wrote to memory of 1164 1884 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe run.exe PID 1884 wrote to memory of 1164 1884 1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe run.exe PID 1164 wrote to memory of 4048 1164 run.exe winupdate.exe PID 1164 wrote to memory of 4048 1164 run.exe winupdate.exe PID 1164 wrote to memory of 4048 1164 run.exe winupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1446d50ecf1384818a85d24238464f1d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\run.exe"C:\Users\Admin\AppData\Local\Temp\run.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3660 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
714KB
MD51fa9af8c7e8272904027add5bc3cd908
SHA156bb82a0f60168c9dac19140de5ed7e46fc7ee27
SHA256817f18a2364ebc92f327098a12c63a7497645e770683b0f2e3779fb5362f1b46
SHA512c766fcbbbd5e8f432920f489a0817dbd95536c53773a83e3d0536dd54bd29697febdd6b6c9b32d14b15ad02a90f7f0b7aeb3566bb582b3d36f42e9c6f64917ab