Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 03:07
Static task
static1
Behavioral task
behavioral1
Sample
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe
-
Size
777KB
-
MD5
1473f45c4c6b87fd879f61fcec4f5b79
-
SHA1
02d99ad8b9c1c43ad7c908763d4dc70bb1317f78
-
SHA256
e028bb6a42ed8c3d0eae78dd91b2d90c3aadc7eb4bd7a899136cd8f5618f8dea
-
SHA512
a337c4bcc1bc48ee418faabbb30b6396781dadda990dcb618e49c3dfce8670cd4b96acc6da63bb042e689711bafd8cf4477b8917600fb91da6525b9d27bf22d6
-
SSDEEP
12288:dbI6TvLwVrZjSdlAk1++5kfkWdnA9JHjPNdCCv4C5PndYOaH2cqgw64e:lTDelSbA05kcenA9NPPCCHqD2cqin
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupate.exe" 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe -
Processes:
winupate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
KEYGEN.EXEwinupate.exewinupate.exepid process 3704 KEYGEN.EXE 2476 winupate.exe 5060 winupate.exe -
Processes:
winupate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupter = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupate.exe" 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription pid process target process PID 3512 set thread context of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 2476 set thread context of 5060 2476 winupate.exe winupate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winupate.exe1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupate.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winupate.exepid process 5060 winupate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription pid process Token: SeIncreaseQuotaPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeSecurityPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeLoadDriverPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeSystemProfilePrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeSystemtimePrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeBackupPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeRestorePrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeShutdownPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeDebugPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeUndockPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeManageVolumePrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeImpersonatePrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: 33 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: 34 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: 35 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: 36 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 5060 winupate.exe Token: SeSecurityPrivilege 5060 winupate.exe Token: SeTakeOwnershipPrivilege 5060 winupate.exe Token: SeLoadDriverPrivilege 5060 winupate.exe Token: SeSystemProfilePrivilege 5060 winupate.exe Token: SeSystemtimePrivilege 5060 winupate.exe Token: SeProfSingleProcessPrivilege 5060 winupate.exe Token: SeIncBasePriorityPrivilege 5060 winupate.exe Token: SeCreatePagefilePrivilege 5060 winupate.exe Token: SeBackupPrivilege 5060 winupate.exe Token: SeRestorePrivilege 5060 winupate.exe Token: SeShutdownPrivilege 5060 winupate.exe Token: SeDebugPrivilege 5060 winupate.exe Token: SeSystemEnvironmentPrivilege 5060 winupate.exe Token: SeChangeNotifyPrivilege 5060 winupate.exe Token: SeRemoteShutdownPrivilege 5060 winupate.exe Token: SeUndockPrivilege 5060 winupate.exe Token: SeManageVolumePrivilege 5060 winupate.exe Token: SeImpersonatePrivilege 5060 winupate.exe Token: SeCreateGlobalPrivilege 5060 winupate.exe Token: 33 5060 winupate.exe Token: 34 5060 winupate.exe Token: 35 5060 winupate.exe Token: 36 5060 winupate.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exeKEYGEN.EXEwinupate.exewinupate.exepid process 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 3704 KEYGEN.EXE 2476 winupate.exe 5060 winupate.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exewinupate.exedescription pid process target process PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 3512 wrote to memory of 904 3512 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe PID 904 wrote to memory of 3704 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe KEYGEN.EXE PID 904 wrote to memory of 3704 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe KEYGEN.EXE PID 904 wrote to memory of 3704 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe KEYGEN.EXE PID 904 wrote to memory of 2476 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe winupate.exe PID 904 wrote to memory of 2476 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe winupate.exe PID 904 wrote to memory of 2476 904 1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe PID 2476 wrote to memory of 5060 2476 winupate.exe winupate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1473f45c4c6b87fd879f61fcec4f5b79_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE"C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3704 -
C:\Users\Admin\AppData\Roaming\Windupdt\winupate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Roaming\Windupdt\winupate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupate.exe"4⤵
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3852,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:81⤵PID:3592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5f96da3c9807cac2aab5447f4fdc352c4
SHA14b11af9324aaaf3e0dbb7ba7619dcabf3d8ffe55
SHA25627f6a85fbfa1622c93b099a3a86091a240ca31180636211dfa59013fef1abd27
SHA5121695e098ff5c407e74fcd6283ec9f716c95d485dfbc5fefcd29de2abe1c3d966ee5bdfd700ab2d71d67bf42c623998123582f84d10184dce3d950f6f9094577f
-
Filesize
777KB
MD51473f45c4c6b87fd879f61fcec4f5b79
SHA102d99ad8b9c1c43ad7c908763d4dc70bb1317f78
SHA256e028bb6a42ed8c3d0eae78dd91b2d90c3aadc7eb4bd7a899136cd8f5618f8dea
SHA512a337c4bcc1bc48ee418faabbb30b6396781dadda990dcb618e49c3dfce8670cd4b96acc6da63bb042e689711bafd8cf4477b8917600fb91da6525b9d27bf22d6