Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 03:07
Static task
static1
Behavioral task
behavioral1
Sample
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe
-
Size
777KB
-
MD5
1473f45c4c6b87fd879f61fcec4f5b79
-
SHA1
02d99ad8b9c1c43ad7c908763d4dc70bb1317f78
-
SHA256
e028bb6a42ed8c3d0eae78dd91b2d90c3aadc7eb4bd7a899136cd8f5618f8dea
-
SHA512
a337c4bcc1bc48ee418faabbb30b6396781dadda990dcb618e49c3dfce8670cd4b96acc6da63bb042e689711bafd8cf4477b8917600fb91da6525b9d27bf22d6
-
SSDEEP
12288:dbI6TvLwVrZjSdlAk1++5kfkWdnA9JHjPNdCCv4C5PndYOaH2cqgw64e:lTDelSbA05kcenA9NPPCCHqD2cqin
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupate.exe" 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe -
Processes:
winupate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupate.exe -
Executes dropped EXE 3 IoCs
Processes:
KEYGEN.EXEwinupate.exewinupate.exepid process 2976 KEYGEN.EXE 2660 winupate.exe 2712 winupate.exe -
Loads dropped DLL 4 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exepid process 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe -
Processes:
winupate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupter = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupate.exe" 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription pid process target process PID 2932 set thread context of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2660 set thread context of 2712 2660 winupate.exe winupate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupate.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winupate.exepid process 2712 winupate.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription pid process Token: SeIncreaseQuotaPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeSecurityPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeSystemtimePrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeBackupPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeRestorePrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeShutdownPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeDebugPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeUndockPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeManageVolumePrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeImpersonatePrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: 33 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: 34 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: 35 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2712 winupate.exe Token: SeSecurityPrivilege 2712 winupate.exe Token: SeTakeOwnershipPrivilege 2712 winupate.exe Token: SeLoadDriverPrivilege 2712 winupate.exe Token: SeSystemProfilePrivilege 2712 winupate.exe Token: SeSystemtimePrivilege 2712 winupate.exe Token: SeProfSingleProcessPrivilege 2712 winupate.exe Token: SeIncBasePriorityPrivilege 2712 winupate.exe Token: SeCreatePagefilePrivilege 2712 winupate.exe Token: SeBackupPrivilege 2712 winupate.exe Token: SeRestorePrivilege 2712 winupate.exe Token: SeShutdownPrivilege 2712 winupate.exe Token: SeDebugPrivilege 2712 winupate.exe Token: SeSystemEnvironmentPrivilege 2712 winupate.exe Token: SeChangeNotifyPrivilege 2712 winupate.exe Token: SeRemoteShutdownPrivilege 2712 winupate.exe Token: SeUndockPrivilege 2712 winupate.exe Token: SeManageVolumePrivilege 2712 winupate.exe Token: SeImpersonatePrivilege 2712 winupate.exe Token: SeCreateGlobalPrivilege 2712 winupate.exe Token: 33 2712 winupate.exe Token: 34 2712 winupate.exe Token: 35 2712 winupate.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exeKEYGEN.EXEwinupate.exewinupate.exepid process 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 2976 KEYGEN.EXE 2660 winupate.exe 2712 winupate.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription pid process target process PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2932 wrote to memory of 1812 2932 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 1812 wrote to memory of 2976 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe KEYGEN.EXE PID 1812 wrote to memory of 2976 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe KEYGEN.EXE PID 1812 wrote to memory of 2976 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe KEYGEN.EXE PID 1812 wrote to memory of 2976 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe KEYGEN.EXE PID 1812 wrote to memory of 2660 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe winupate.exe PID 1812 wrote to memory of 2660 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe winupate.exe PID 1812 wrote to memory of 2660 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe winupate.exe PID 1812 wrote to memory of 2660 1812 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe PID 2660 wrote to memory of 2712 2660 winupate.exe winupate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE"C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2976 -
C:\Users\Admin\AppData\Roaming\Windupdt\winupate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Roaming\Windupdt\winupate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupate.exe"4⤵
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5f96da3c9807cac2aab5447f4fdc352c4
SHA14b11af9324aaaf3e0dbb7ba7619dcabf3d8ffe55
SHA25627f6a85fbfa1622c93b099a3a86091a240ca31180636211dfa59013fef1abd27
SHA5121695e098ff5c407e74fcd6283ec9f716c95d485dfbc5fefcd29de2abe1c3d966ee5bdfd700ab2d71d67bf42c623998123582f84d10184dce3d950f6f9094577f
-
Filesize
777KB
MD51473f45c4c6b87fd879f61fcec4f5b79
SHA102d99ad8b9c1c43ad7c908763d4dc70bb1317f78
SHA256e028bb6a42ed8c3d0eae78dd91b2d90c3aadc7eb4bd7a899136cd8f5618f8dea
SHA512a337c4bcc1bc48ee418faabbb30b6396781dadda990dcb618e49c3dfce8670cd4b96acc6da63bb042e689711bafd8cf4477b8917600fb91da6525b9d27bf22d6